Chapter 12

Enforcing Access Rate and Application Flows

Attack him where he is unprepared, appear where you are not expected.

—Sun Tzu in The Art of War

Identifying web application attack traffic isn’t always a matter of what you are doing but rather the velocity at which you are doing it. Attackers often use automated programs to expedite their reconnaissance, execute their attack payloads, or simply flood the application with excessive traffic. This chapter looks at various methods of detecting when clients are accessing their applications abnormally. This includes not only the speed of use but also the order in which resources are accessed.

Many of the recipes in this chapter include references to material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) project: http://capec.mitre.org/.

Recipe 12-1: Detecting High Application Access Rates
This recipe shows you how to use ModSecurity to determine when individual clients are making a large number of requests within a specified time window.
Ingredients
  • OWASP ModSecurity Core Rule Set (CRS)
    • modsecurity_crs_10_setup.conf
    • modsecurity_crs_11_dos_protection.conf
  • ModSecurity
    • IP:DOS_COUNTER variable
    • IP:DOS_BURST_COUNTER variable
    • IP:DOS_BLOCK variable
    • @gt operator
    • setvar action
CAPEC-125: Resource Depletion through Flooding
An attacker consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate ...

Get Web Application Defender's Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial