HIDS 31102
Rule 31102 | |
---|---|
Status | Active |
Alert Message | ModSecurity: Access denied with code 400. Too many threads |
Contents |
Description
This rule is triggered when a a single IP has opened too many connections to the server in a READ state. This condition is extremely unusual for a normal client, and occurs when either an attacker is trying to use up all the threads on the server to prevent it from servicing any other clients or if your clients really need to open an extremely number of READ connections.
This alert will occur when a slowloris attack is occuring.
This rule does not block anything, it simply reports when apache has stopped accepting READ requests from a client. You can configure this limit by following the Tuning Guidance below.
Troubleshooting
False Positives
The rule alerts when the configured WAF_READSTATELIMIT value is exceeded. The rule does not cause this event to occur. Disabling this rule will not cause this event to not occur, it will just prevent ASL from alerting you that this is occurring. See below for tuning guidance.
Tuning Guidance
This limit is configured by this setting:
https://www.atomicorp.com/wiki/index.php/ASL_WAF#WAF_READSTATELIMIT
We do not recommend you change this setting unless you know what you are doing. The default should be sufficient for even very large systems, and increasing this limit may make your system vulnerable to slowloris attacks. Setting this too low may cause legitimate clients from being able to connect to your system.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.