31102 - Possible DoS Consumption Attack

CRServers · Unread post by **CRServers** » Fri Oct 04, 2013 9:38 am

We are getting lots of these every day now.
The strange thing is that it reports the "attacks" coming from IP 190.10.8.121 which is the server's own IP.

Code: Select all

[warn] ModSecurity: Access denied with code 400. Too many threads [11] of 10 allowed in READ state from 190.10.8.121 - Possible DoS Consumption Attack [Rejected

What is happening here?
Is this a false positive?
How can we get rid of these?

Thanks for your help.
Regards,

Rodrigo

prupert · Unread post by **prupert** » Fri Oct 04, 2013 10:06 am

Have you read https://www.atomicorp.com/wiki/index.php/HIDS_31102 ?

CRServers · Unread post by **CRServers** » Fri Oct 04, 2013 11:26 pm

Yes I did.
But why it is reporting attacks from the server's own IP.
What is going on?
That's the part I want to know.
Regards,

prupert · Unread post by **prupert** » Sat Oct 05, 2013 1:36 pm

But why it is reporting attacks from the server's own IP.

This means that the requests are coming from your own server. This could be anything from a cron script to a web application that is doing internal HTTP requests. The ASL logs do not contain information as to which script this is doing, but you might be able to find the culprit in the access logs.

This is not a false positive, the rule is simply reporting that requests from your server are generating more than ten concurrent httpd processes busy in reading state. It is highly unlikely that this is acceptable behavior.

Atomicorp

31102 - Possible DoS Consumption Attack

31102 - Possible DoS Consumption Attack

Re: 31102 - Possible DoS Consumption Attack

Re: 31102 - Possible DoS Consumption Attack

Re: 31102 - Possible DoS Consumption Attack