Chaitanya,
The regular expression used in the last SecRule is looking for between 8 to 10
digits characters - http://www.regexper.com/#%5E%5C-%3F%5Cd%7B8%2C10%7D%24.
This was based on the data sample you provided below from the Apache access
logs. The example you showed in your last email only showed 7 digits. You
would therefore need to adjust the final rule regex to be this -
@rx ^\-?\d{7,10}$
Ryan Barnett
Senior Lead Security Researcher, SpiderLabs
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>
From: Chaitanya Kumar Tummalapalli
<ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>>
Date: Wednesday, October 29, 2014 5:19 AM
To: Ryan Barnett <rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>
Cc:
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>,
Joerg Stephan <joerg.step...@owasp.org<mailto:joerg.step...@owasp.org>>
Subject: RE: [Owasp-modsecurity-core-rule-set] Require Mod_Security rule for
preventing random query sting DOS attacks
Hello Ryan,
Thanks a lot for your reply.
I tried using the rule .. I have place these three lines in
modsecurity_crs_10_config.conf without execute action.
But no luck, Rule is not dropping requests like index.html?~5678788.
I’m novice to mod_security hence not conversant to tweak the rule.
Chaitanya Kumar Tummalapalli
TS Controller
I n f o r m a t i o n T e c h n o l o g y
M : ( + 9 7 4 ) 3 3 6 9 - 0915 | P : ( + 9 7 4 ) 4022 - 7486 |
(ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>)
W o r l d ' s 5 - s t a r a i r l i n e | www. q a t a r a i r w a y s . c
o m
From: Ryan Barnett [mailto:rbarn...@trustwave.com]
Sent: 28 October 2014 9:04 PM
To: Chaitanya Kumar Tummalapalli; Joerg Stephan
Cc:
owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: Re: [Owasp-modsecurity-core-rule-set] Require Mod_Security rule for
preventing random query sting DOS attacks
You could write up some ModSecurity rules that would check for these types of
request anomalies and block. Try these (untested) -
SecRule &ARGS_GET_NAMES "@eq 1" "chain,phase:1,t:none,drop,msg:'Botnet DDoS
Attack Detected'"
SecRule ARGS_GET "@rx ^$" "chain"
SecRule ARGS_GET_NAMES "@rx ^\-?\d{8,10}$" "exec:/path/to/blacklist.sh"
Not the last line has an execute action where you can do things much like
Fail2Ban where you can have a shell script that will talk to a local/remote
Firewall device and dynamically update the ACLs to blacklist the client IP
address.
Ryan Barnett
Senior Lead Security Researcher, SpiderLabs
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>
From: Chaitanya Kumar Tummalapalli
<ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>>
Date: Tuesday, October 28, 2014 10:00 AM
To: Joerg Stephan <joerg.step...@owasp.org<mailto:joerg.step...@owasp.org>>
Cc:
"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>"
<owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] Require Mod_Security rule for
preventing random query sting DOS attacks
Hello Joerg,
Thanks for your reply.
In our analysis of access logs the attacker has used 436 IP’s (botnets) to
generate this 1.2 million requests with random number queries. Within 20
minutes time.
So on an average we have got 2750 requests from one single IP.
Our web site which was under attack has maximum of 45 valid known query
strings and beyond them can be treated as spurious like below
122.226.28.22, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?953341233 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"
120.28.113.179, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?2110115717 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Macintosh; Intel
Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56
Safari/536.5"
93.183.239.56, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?-404454353 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 5.1;
rv:5.0.1) Gecko/20100101 Firefox/5.0.1"
221.178.236.122, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?-304549227 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1;
rv:12.0) Gecko/20100101 Firefox/12.0"
117.25.192.227, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?-1186515202 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Macintosh; Intel
Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1"
60.174.55.148, 23.212.108.70, 2.18.243.13 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?-16740259 HTTP/1.1" 200 2797 "-" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1; SV1)"
218.63.78.48, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?-441220308 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1)
AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5"
183.63.45.186, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?-1330852491 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1;
WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"
213.148.184.156, 23.212.108.63, 2.18.243.13 - - [21/Oct/2014:10:00:26 +0300]
"GET /index.html?-1092903431 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT
6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11"
61.133.234.21, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?-1925985494 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1;
rv:5.0) Gecko/20100101 Firefox/5.02"
125.74.189.77, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET
/index.html?1261388031 HTTP/1.1" 200 2797 "-" "Mozilla/4.0 (compatible; MSIE
8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1) ; .NET CLR 3.5.30729)"
Vaild query string will look like this
82.79.99.142, 81.196.26.231, 80.239.171.212 - - [28/Oct/2014:16:56:01 +0300]
"GET /index.html?q=ro/en HTTP/1.1" 200
So can we think of a rule which drops the requests like /index.html?953341233
this. Or if it can be achieved by mod_evasive . Sorry I’m new to mod_evasive.
Could you please elaborate on how to use it.
Chaitanya Kumar Tummalapalli
TS Controller
I n f o r m a t i o n T e c h n o l o g y
M : ( + 9 7 4 ) 3 3 6 9 - 0915 | P : ( + 9 7 4 ) 4022 - 7486 |
(ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>)
W o r l d ' s 5 - s t a r a i r l i n e | www. q a t a r a i r w a y s . c
o m
From: Joerg Stephan [mailto:joerg.step...@owasp.org]
Sent: 28 October 2014 4:34 PM
To: Chaitanya Kumar Tummalapalli
Cc:
owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: Re: [Owasp-modsecurity-core-rule-set] Require Mod_Security rule for
preventing random query sting DOS attacks
Good $localtime,
how many queries have been done by a single ip address?
In my opinion, when it comes to HTTP flooding we will have a problem adjusting
the rules, cause it will be hard to determine if it is a valid request or not.
In such cases i would prefer using mod_evasive or fail2ban.
Just my 2 cents
Kind regards
Joerg
On Tue, Oct 28, 2014 at 11:59 AM, Chaitanya Kumar Tummalapalli
<ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>>
wrote:
Hello,
We faced a DDOS Attack on our web site very recently. The nature of attack is a
HTTP Flood Attack which raised our bandwidth utilization form 2MBPS to 20 MBPS
We have CDN edge caching servers for content delivery to the end user.
There are around 1.2 Million requests made to the apache web server in 20
minutes with one specific pattern.
For ex:
http://www.abc.com/index.html?~77462375<http://scanmail.trustwave.com/?c=4062&d=pLHQ1M32dTOx0zDnirzUEX3Q9h_vmqQ2rtb-Uud9iw&s=5&u=http%3a%2f%2fwww%2eabc%2ecom%2findex%2ehtml%3f%7e77462375>
Request appended with query string with random sequence number. The Website
usually responds with default page for every such request.
But within no time the web servers resources got exhausted and was unable to
respond. Leading to total downtime.
I have attached a white paper which describes about similar attacks which we
have undergone.
We need a rule from mod_security crs which can defend the attack and drop such
kind of requests.
Regards,
Chaitanya
Qatar Airways - Proud member of the oneworld alliance.
[Image removed by sender. OW LOGO]
Disclaimer:- This message (including attachments) is intended solely for the
addressee named above. It may be confidential, privileged, subject to
copyright, trade secret, or other legal rules and may not be forwarded without
the author's permission. If you are not the addressee you must not read, copy
or disseminate this message. If you have received it in error please notify the
sender immediately and delete the message from all storage devices. Any
opinions expressed in this message do not necessarily represent the official
positions of Qatar Airways. Any agreements (including any warranties,
representations, or offers) concluded with Qatar Airways by using electronic
correspondence shall only come into existence if an authorized representative
of Qatar Airways has explicitly approved such contract formation. To the
fullest extent permissible by law, Qatar Airways disclaim all liability for
loss or damage to person or property arising from this message being infected
by computer virus or other contamination.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<http://scanmail.trustwave.com/?c=4062&d=pLHQ1M32dTOx0zDnirzUEX3Q9h_vmqQ2rtP5U-QogQ&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set>
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
strictly prohibited. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
strictly prohibited. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
