"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!"

Published: 2010-01-25
Last Updated: 2010-01-25 04:05:20 UTC
by William Salusky (Version: 1)
3 comment(s)

Do you manage Apache based web server farms with Web Application Firewall (WAF) requirements that revolve primarily around a need for central thresholding/rate limiting features?  Have you found an open source WAF solution that fulfills this need?  Well if you haven't, I take extra special joy in the public sharing of two open projects that I'm involved with, serving the roles of <masculine chest puffing>cheerleader</masculine chest puffing> ;), tester and injecting scope creep whenever possible to solve various forms of abuse. 

Mark Thomas has accomplished some excellent work on a pair of tools consisting of an Apache2 module 'mod_webfw2' and the 'Thrasher' central rate limiting engine.  These tools provide a web application firewall with dynamic rule update features making the "dreaded server farm bounce to enable new or modified rules" a thing of the past.  Mod_webfw2 with Thrasher support also make trivial the task of tracking abusive clients across server farms whether those farms consist of one, several or hundreds of hosts.

The tools suite has been deployed successfully in stomping out automated, distributed attacks on web apps that include (and are not limited to) Account Registration interfaces, Authentication, Webmail, Search engines, Comment/Guestbook/Article abuse, Proxy servers and Web Scraper abuse mitigation.  While I would never be so foolish as to call these tools an HTTP DDoS silver bullet, we have seen the technology-pair successfully deployed as a mitigation against HTTP resource utilization DoS attacks.

Mod_webfw2/Thrasher does not intend to replace or compete with the deep inspection engine available in the open source mod_security, but they operate quite complementary to one another when you have requirements for the advanced features of mod_security along with the need for centralized rate limiting. 

The mod_webfw2 and thrasher project is seeking project testers and contributors.
 

William Salusky - Handler on Duty ;)

3 comment(s)

Comments

These modules add the intrusion protection/detection firewall signatures handling capability into Apache web server. This also allows end-users to implement regular expressions and patterns matching rules for blocking the malicious URL requests. Apache admins will find easy to implement this features. Can someone publish the threshold load till performance or latency issues are negligible?
mod_webfw2 needs to add a "TCP Tarpit" action.
Use mod_security
better for server
better for user

Avoid lot of protection, use good iptable rules.

cheers

Diary Archives