hello there
i got a bit of a problem mit the newest mod security 2.2.7 on opensuse 13.1 with apache 2.4.6
i want to use mod security to protect against the slow dos attack … like slowlaris
for that i use the experimental rule modsecurity_crs_11_slow_dos_protection.conf from OWASP ModSecurity Core Rule Set (CRS) 2.2.9 (newest)
mod security is running without any problems, but if i activate the slow dos rule set i get blocked by the server
[Fri Mar 21 17:23:04.018323 2014] :warn] [pid 29457] ModSecurity: Access denied with code 400. Too many threads [150] of 100 allowed in READ state from 91.22.223.123 - Possible DoS C
onsumption Attack [Rejected]
but i’m more than sure that i don’t have 150 threads connected to the server
the apache server-status just shows me 2 threads by my IP connected to the server
something doesn’t add up!
the mod security rule set defines by default:
SecReadStateLimit 100
so i had a deeper look, as i run mod security on 2 other suse machines without any problems!
mod security also wants to store collection data on the disk
SecDataDir /tmp
normally it then creates ip.dir / ip.pag and global.dir / global.pag in the folder /tmp after an apache restart
it does so on the other 2 suse boxes
but somehow it doesn’t on the 13.1
so, now my thinking is, if it can’t create the files for collecting data it then probably blocks me by default?
while not having 150 threads connected from my IP to the server?
why isn’t mod security creating the collection data files on restart?
/tmp/ip.dir
/tmp/global.dir
none of those files exist
if someone could help me out and guide me towards the right direction i would be more than grateful
thanks & all the best
becki