Recipe 12-2: Detecting Request/Response Delay Attacks
This recipe shows you how to use ModSecurity to identify when clients delay completing transactions.
Ingredients
- ModSecurity
- SecReadStateLimit directive
- SecWriteStateLimit directive
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP.
The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker’s responses on the initiated HTTP sessions while the connection threads are being exhausted.
Sample Attack
Whereas network-level DoS attacks aim to flood your pipe with lower-level OSI traffic (such as SYN packets), web application layer DoS attacks often can be carried out with much less traffic. The point is that the amount of traffic that may cause an HTTP DoS condition is often much less than is required for a network bandwidth saturation attack.
HTTP Request Delay Attacks
HTTP request delay attacks are surprisingly easy to accomplish because they target the local web server resources rather than the network bandwidth. They work by simply completing a TCP ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
