mod_antibot and Slow HTTP attack
2 posts
• Page 1 of 1
mod_antibot and Slow HTTP attack
We have been using APE for some time and have run into issues for some slow DDOS attacks with entries in the log like:
2017-03-10 01:36:49 [SERVER IP] FAKEVERB / - 80 - [Offending IP] Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2) 500 0 0 119704
They all come in as FAKEVERB requests instead of the usual GET's etc.
Is the mod_antibot a good solution for getting rid of these? It's not a regular verb, what would the rules be?
/tc
2017-03-10 01:36:49 [SERVER IP] FAKEVERB / - 80 - [Offending IP] Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2) 500 0 0 119704
They all come in as FAKEVERB requests instead of the usual GET's etc.
Is the mod_antibot a good solution for getting rid of these? It's not a regular verb, what would the rules be?
/tc
Re: mod_antibot and Slow HTTP attack
Hello.
Web servers themselves are usually quite resilient to slow HTTP attacks, that is why these attacks normally target backend applications, which can be rather susceptible to it. In your case, since no valid HTTP verb is used the attack clearly targets the IIS server itself. So the first question does the attack has any success? I mean IIS seem to repel it with 500 error and that's all. Probably you don't need to do anything about it because you already protected?
You could use mod_rewrite (mod_antibot is not needed here) to block requests with FAKEVERB verb, in case you suspect they may come through to your backend, but Ape (not any module) cannot protect IIS itself from receiving this request because Ape is IIS module and will only act after IIS has received request. The mod_rewriteRule could look like:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} FAKEVERB [NC]
RewriteRule .? - [F]
If you feel like IIS needs a protection from this attack you can put your server behind some web application firewall like CloudFlare.
Web servers themselves are usually quite resilient to slow HTTP attacks, that is why these attacks normally target backend applications, which can be rather susceptible to it. In your case, since no valid HTTP verb is used the attack clearly targets the IIS server itself. So the first question does the attack has any success? I mean IIS seem to repel it with 500 error and that's all. Probably you don't need to do anything about it because you already protected?
You could use mod_rewrite (mod_antibot is not needed here) to block requests with FAKEVERB verb, in case you suspect they may come through to your backend, but Ape (not any module) cannot protect IIS itself from receiving this request because Ape is IIS module and will only act after IIS has received request. The mod_rewriteRule could look like:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} FAKEVERB [NC]
RewriteRule .? - [F]
If you feel like IIS needs a protection from this attack you can put your server behind some web application firewall like CloudFlare.
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 24 guests