Revision as of 19:00, 20 October 2013

Description

This rule is triggered when a a single IP has opened too many connections to the apache webserver in a READ state. This condition is unusual for a normal client, and occurs when either an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients (Denial of Service Attack) or if your clients really need to open an unusually high number of READ connections.

This alert will occur when a slowloris attack is occurring.

This rule reports when apache has stopped accepting READ requests from a client. You can configure this limit by following the Tuning Guidance below.

Log example

[warn] ModSecurity: Access denied with code 400. Too many threads [11] of 10 allowed in READ state from 1.2.3.4 - Possible DoS Consumption Attack [Rejected

Troubleshooting

False Positives

The rule alerts when the configured WAF_READSTATELIMIT value is exceeded. The rule does not cause this event to occur, it just reports when it occurs.

Disabling this rule will not prevent this event from occurring, it will just prevent ASL from alerting you that this is occurring, and optionally from shunning the IP address that is causing this event

We do not recommend you disable this rule. If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". See below for tuning guidance if the default READ state limit is too low for your system.

Tuning Guidance

This limit is configured by this setting:

https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_READSTATELIMIT

We do not recommend you change this setting unless you know what you are doing. The default should be sufficient for even very large systems, and increasing this limit may make your system vulnerable to slowloris attacks. Setting this too low may cause legitimate clients from being able to connect to your system.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.