Firewall rule triggered by modsec state limit?

[kirkre]

Does ASL have the capability to block an IP at the firewall level when that IP exceeds a mod_security state limit such as this?:

/var/log/httpd/error_log:[Sun Nov 08 21:50:19 2015] [warn] ModSecurity: Access denied with code 400. Too many threads [255] of 100 allowed in WRITE state from 177.141.142.53 - Possible DoS Consumption Attack [Rejected]

We are getting hit by slow DOS attacks and this is the only thing that is triggered. I've lowered the write state limit to 20 which so far allows normal traffic without hindrance, but not sure if that will really help. With the limit set at 100, 300 malformed requests still puts Apache into a wait state for several hours. The server has enough resources to handle all normal traffic with ease.

We are using a rules only account at the moment, but if the full ASL can block this at the firewall level I am interested.

Thanks,

Kirk

[mikeshinn]

Yes, ASL blocks this at the network firewall level. Rule 31102 specifically.

[kirkre]

Great! I'd like to try the trial on our test server first to make sure everything works. I think I'll need to open another account to put the trial on the test server since we already have a rules only subscription, but let me know if there is a better way to do this.

Thanks!

Kirk

[mikeshinn]

You can add a trial license to your existing account. Just log into the license manager, and click on Add/Renew Licenses. If you need assistance with this, just shoot an email to support and we'll set it up for you.