Apache hang on https protocol violation
Subject: Apache hang on https protocol violation
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-06-23 13:51:16 GMT
Hi people,
I'm a new modsecurity user and I've a problem which maybe some of you can resolve ;).
My configuration is: reverse proxy (http/https) with apache 2.2.9 and modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE SLES10.
Hardware: 2CPU dual core Intel(R) Xeon(R) <at> 2.33GHz, 4GB of RAM
If I try this benchmark all work fine, without problem:
ab -k -c 200 -n 8000 http://www.mysite.com/
ab -k -c 200 -n 8000 https://www.mysite.com/
... no lost requests, no particular delay.
The problem come out if I try to do a "DOS attack" pointing directly to the ip address of mysite in https
After few request (~200) apache hang and stop responding ...
ab -k -c 200 -n 8000 https://192.168.168.100/).
#############################################################################
# This is ApacheBench, Version 2.3 <$Revision: 655654 $>
# Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
# Licensed to The Apache Software Foundation, http://www.apache.org/
#
# Benchmarking 192.168.168.100 (be patient)
# Completed 200 requests
# apr_poll: The timeout specified has expired (70007)
# Total of 272 requests completed
#############################################################################
Here an extract from the logs:
#############################################################################
Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client 192.168.168.168] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "192.168.168.100"] [uri "/"] [unique_id "SF <at> XssIL0NIAAB <at> ncMAAAACI"]
#############################################################################
If I turn off modsecurity (SecRuleEngine Off) and I repeat the test I don't have problem!
If I disable the specific rule (SecRuleRemoveById "960017") all work fine!
So, have you some idea about this issue?
How can I prevent this kind of "DOS attack"?
Thanks a lot! Regards
Nick
PS: sorry for my ridicolous english ;)
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users
RSS Feed