Hi again, okay, so definitely mod_evasive or fail2ban would have solved the problem, as there should be more than 2400 requests by each single IP addresses. Evasive can handle this.
On the other hand, it should not be a lot of magic to right a rule to drop all traffic which does not fit your naming style, but is this would sole your problem only, i guess we should not code it into the core rules, as style is different from user to user. Maybe you can also think about a string-match rule inside of iptables. The 20MBit traffic would hit your apache system anyway, even it it is only the modules. I would say, place a Nginx proxy in front of it, enable fail2ban on the proxy server an you will be much safer than now. Also strange in my mind, 1.2 Mio requests in 20 minuits are only 1000 a second. Maybe you should rethink your design also. As a important website you should have load balanced you webservers, and so at least 3 of the webservers should handle much more than 500 requests each. I have build nginx webforwarders (php based redirecting logic) which currently handle 1000 requests per second each. in peak time. Cheers On Tue, Oct 28, 2014 at 3:00 PM, Chaitanya Kumar Tummalapalli < ctummalapa...@qatarairways.com.qa> wrote: > Hello Joerg, > > > > Thanks for your reply. > > > > In our analysis of access logs the attacker has used 436 IP’s (botnets) to > generate this 1.2 million requests with random number queries. Within 20 > minutes time. > > > > So on an average we have got 2750 requests from one single IP. > > > > Our web site which was under attack has maximum of 45 valid known query > strings and beyond them can be treated as spurious like below > > > > 122.226.28.22, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?953341233 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1; > WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 > Safari/536.11" > > 120.28.113.179, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?2110115717 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Macintosh; > Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) > Chrome/19.0.1084.56 Safari/536.5" > > 93.183.239.56, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?-404454353 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 5.1; > rv:5.0.1) Gecko/20100101 Firefox/5.0.1" > > 221.178.236.122, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?-304549227 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1; > rv:12.0) Gecko/20100101 Firefox/12.0" > > 117.25.192.227, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?-1186515202 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Macintosh; > Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1" > > 60.174.55.148, 23.212.108.70, 2.18.243.13 - - [21/Oct/2014:10:00:26 +0300] > "GET /index.html?-16740259 HTTP/1.1" 200 2797 "-" "Mozilla/4.0 (compatible; > MSIE 6.0; Windows NT 5.1; SV1)" > > 218.63.78.48, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?-441220308 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1) > AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5" > > 183.63.45.186, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?-1330852491 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT > 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0" > > 213.148.184.156, 23.212.108.63, 2.18.243.13 - - [21/Oct/2014:10:00:26 > +0300] "GET /index.html?-1092903431 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 > (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 > Safari/536.11" > > 61.133.234.21, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?-1925985494 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT > 6.1; rv:5.0) Gecko/20100101 Firefox/5.02" > > 125.74.189.77, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET > /index.html?1261388031 HTTP/1.1" 200 2797 "-" "Mozilla/4.0 (compatible; > MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1) ; .NET CLR 3.5.30729)" > > > > Vaild query string will look like this > > > > 82.79.99.142, 81.196.26.231, 80.239.171.212 - - [28/Oct/2014:16:56:01 > +0300] "GET /index.*html?q=ro/en* HTTP/1.1" 200 > > > > > > So can we think of a rule which drops the requests like > /index.html?953341233 this. Or if it can be achieved by mod_evasive . Sorry > I’m new to mod_evasive. Could you please elaborate on how to use it. > > > > > > > > *Chaitanya Kumar Tummalapalli* > > TS Controller > > I n f o r m a t i o n T e c h n o l o g y > > M : ( + 9 7 4 ) 3 3 6 9 - 0915 | P : ( + 9 7 4 ) 4022 - 7486 | ( > ctummalapa...@qatarairways.com.qa) > > > > W o r l d ' s 5 - s t a r a i r l i n e | *www*. *q a t a r a i r w a > y s . c o m* > > > > *From:* Joerg Stephan [mailto:joerg.step...@owasp.org] > *Sent:* 28 October 2014 4:34 PM > *To:* Chaitanya Kumar Tummalapalli > *Cc:* owasp-modsecurity-core-rule-set@lists.owasp.org > *Subject:* Re: [Owasp-modsecurity-core-rule-set] Require Mod_Security > rule for preventing random query sting DOS attacks > > > > Good $localtime, > > > > how many queries have been done by a single ip address? > > > > In my opinion, when it comes to HTTP flooding we will have a problem > adjusting the rules, cause it will be hard to determine if it is a valid > request or not. In such cases i would prefer using mod_evasive or fail2ban. > > > > Just my 2 cents > > > > Kind regards > > > > Joerg > > > > On Tue, Oct 28, 2014 at 11:59 AM, Chaitanya Kumar Tummalapalli < > ctummalapa...@qatarairways.com.qa> wrote: > > Hello, > > > > We faced a DDOS Attack on our web site very recently. The nature of attack > is a HTTP Flood Attack which raised our bandwidth utilization form 2MBPS to > 20 MBPS > > > > We have CDN edge caching servers for content delivery to the end user. > > > > There are around 1.2 Million requests made to the apache web server in 20 > minutes with one specific pattern. > > > > For ex: http://www.abc.com/index.html?~77462375 > > > > Request appended with query string with random sequence number. The > Website usually responds with default page for every such request. > > > > But within no time the web servers resources got exhausted and was unable > to respond. Leading to total downtime. > > > > I have attached a white paper which describes about similar attacks which > we have undergone. > > > > We need a rule from mod_security crs which can defend the attack and drop > such kind of requests. > > > > *Regards,* > > *Chaitanya* > > > > Qatar Airways - Proud member of the *one*world alliance. > > *[image: Image removed by sender. OW LOGO]* > > Disclaimer:- This message (including attachments) is intended solely for > the addressee named above. It may be confidential, privileged, subject to > copyright, trade secret, or other legal rules and may not be forwarded > without the author's permission. If you are not the addressee you must not > read, copy or disseminate this message. If you have received it in error > please notify the sender immediately and delete the message from all > storage devices. Any opinions expressed in this message do not necessarily > represent the official positions of Qatar Airways. Any agreements > (including any warranties, representations, or offers) concluded with Qatar > Airways by using electronic correspondence shall only come into existence > if an authorized representative of Qatar Airways has explicitly approved > such contract formation. To the fullest extent permissible by law, Qatar > Airways disclaim all liability for loss or damage to person or property > arising from this message being infected by computer virus or other > contamination. > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
