Tomer,
Depending on your logging configuration
(specifically if your SecAuditEngine is set to On vs. RelevantOnly) combined
with your traffic load, your performance will be effected. Additionally, the modsec-auditlog-collector.pl
script is a Proof of Concept script and it says so in the script itself and on
the “About” page of the ModSecurity Console –
# This is a proof-of-concept script that listens to the # audit log in real time and submits the entries to # a remote HTTP server. This code is not suitable for # non-trivial production use since it can only submit # one audit log entry at a time, plus it does not handle # errors gracefully.
--
Ryan C. Barnett
ModSecurity Community
Manager
Breach Security: Director of Application
Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
--------------
Web Security Threat Report Webinar on May
9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------
From:
mod-security-users-bounces lists.sourceforge.net
[mailto:mod-security-users-bounceslists.sourceforge.net] On Behalf Of Tomer Okavi
Sent: Thursday, March 29, 2007
2:48 PM
To:
mod-security-userslists.sourceforge.net
Subject: [mod-security-users] DDOS
Hi
Using 2.1.0 on apache 2.2.4 configured as reversed proxy and logging to
modsecurity console
I did a benchmark on the box and accidentally triggered one of the rules.
watching the server-status page all requests were in "L" state
(logging) and apache was slow with serving requests.
disabled logging with modsec-auditlog-collector.pl and the benchmark was ok.
looks like the modsec-auditlog-collector.pl performance isn't so great, and in
production an attacker can easily DDOS the server by triggering a couple of
thousands requests.
any one checked the performance of the logging with over 100/Req per second
Tomer
|
