mod_antibot and Slow HTTP attack

Helicon Ape provides support for Apache .htacces and .htpasswd configuration files for Microsoft IIS.
User avatar
Posts: 3
Joined: 02 Dec 2013, 18:29

mod_antibot and Slow HTTP attack

02 Apr 2017, 13:24

We have been using APE for some time and have run into issues for some slow DDOS attacks with entries in the log like:

2017-03-10 01:36:49 [SERVER IP] FAKEVERB / - 80 - [Offending IP] Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2) 500 0 0 119704


They all come in as FAKEVERB requests instead of the usual GET's etc.

Is the mod_antibot a good solution for getting rid of these? It's not a regular verb, what would the rules be?


/tc

User avatar
Posts: 402
Joined: 06 Mar 2012, 11:59

Re: mod_antibot and Slow HTTP attack

03 Apr 2017, 08:23

Hello.

Web servers themselves are usually quite resilient to slow HTTP attacks, that is why these attacks normally target backend applications, which can be rather susceptible to it. In your case, since no valid HTTP verb is used the attack clearly targets the IIS server itself. So the first question does the attack has any success? I mean IIS seem to repel it with 500 error and that's all. Probably you don't need to do anything about it because you already protected?
You could use mod_rewrite (mod_antibot is not needed here) to block requests with FAKEVERB verb, in case you suspect they may come through to your backend, but Ape (not any module) cannot protect IIS itself from receiving this request because Ape is IIS module and will only act after IIS has received request. The mod_rewriteRule could look like:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} FAKEVERB [NC]
RewriteRule .? - [F]


If you feel like IIS needs a protection from this attack you can put your server behind some web application firewall like CloudFlare.

Return to Helicon Ape

Who is online

Users browsing this forum: No registered users and 9 guests