Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - "Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!" InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!"

Published: 2010-01-25
Last Updated: 2010-01-25 04:05:20 UTC
by William Salusky (Version: 1)
3 comment(s)

Do you manage Apache based web server farms with Web Application Firewall (WAF) requirements that revolve primarily around a need for central thresholding/rate limiting features?  Have you found an open source WAF solution that fulfills this need?  Well if you haven't, I take extra special joy in the public sharing of two open projects that I'm involved with, serving the roles of <masculine chest puffing>cheerleader</masculine chest puffing> ;), tester and injecting scope creep whenever possible to solve various forms of abuse. 

Mark Thomas has accomplished some excellent work on a pair of tools consisting of an Apache2 module 'mod_webfw2' and the 'Thrasher' central rate limiting engine.  These tools provide a web application firewall with dynamic rule update features making the "dreaded server farm bounce to enable new or modified rules" a thing of the past.  Mod_webfw2 with Thrasher support also make trivial the task of tracking abusive clients across server farms whether those farms consist of one, several or hundreds of hosts.

The tools suite has been deployed successfully in stomping out automated, distributed attacks on web apps that include (and are not limited to) Account Registration interfaces, Authentication, Webmail, Search engines, Comment/Guestbook/Article abuse, Proxy servers and Web Scraper abuse mitigation.  While I would never be so foolish as to call these tools an HTTP DDoS silver bullet, we have seen the technology-pair successfully deployed as a mitigation against HTTP resource utilization DoS attacks.

Mod_webfw2/Thrasher does not intend to replace or compete with the deep inspection engine available in the open source mod_security, but they operate quite complementary to one another when you have requirements for the advanced features of mod_security along with the need for centralized rate limiting. 

The mod_webfw2 and thrasher project is seeking project testers and contributors.
 

William Salusky - Handler on Duty ;)

3 comment(s)
Diary Archives