Chapter 12
Enforcing Access Rate and Application Flows
Attack him where he is unprepared, appear where you are not expected.
—Sun Tzu in The Art of War
Identifying web application attack traffic isn’t always a matter of what you are doing but rather the velocity at which you are doing it. Attackers often use automated programs to expedite their reconnaissance, execute their attack payloads, or simply flood the application with excessive traffic. This chapter looks at various methods of detecting when clients are accessing their applications abnormally. This includes not only the speed of use but also the order in which resources are accessed.
Many of the recipes in this chapter include references to material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) project: http://capec.mitre.org/.
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_10_setup.conf
- modsecurity_crs_11_dos_protection.conf
- ModSecurity
- IP:DOS_COUNTER variable
- IP:DOS_BURST_COUNTER variable
- IP:DOS_BLOCK variable
- @gt operator
- setvar action
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.