Security VCL Connection Tracking

Per Buer perbu at varnish-software.com
Thu May 3 19:34:19 CEST 2012


Hi,

On Thu, May 3, 2012 at 5:48 PM, Neha Chriss <nchriss at gmail.com> wrote:

> Hello
>
> I am wondering if any one can recommend a method of identifying repeated
> POST attempts to a single URI with Security VCL or through some native
> varnish mechanism. I am currenlty using security vcl as a WAF with the
> modsecurity CRS. We occasionally have malicious users who will attempt to
> bruteforce promotions codes, or, alternative, attempt to scan our web
> application for vulnerabilities. I am looking for a way to mitigate these
> risks at the WAF-layer.. any suggestions?
>

You could build something on top of the variable vmod. It probably needs a
data structure that scales better, a hash or a tree. Then you can store
IP-adress+URL somewhere and count the occurrences and blacklist clients
whenever they pass a threshold. Or something.


-- 
Per Buer
Phone: +47 21 98 92 61 / Mobile: +47 958 39 117 / Skype: per.buer
*Varnish makes websites fly!*
Whitepapers <http://www.varnish-software.com/whitepapers> |
Video<http://www.youtube.com/watch?v=x7t2Sp174eI> |
Twitter <https://twitter.com/varnishsoftware>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20120503/4cce95a0/attachment.html>


More information about the varnish-misc mailing list