# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under 
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# Rule set for detecting Slow HTTP Denial of Service Attacks. 
# 
# http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
#

# 
# Mitigate Slowloris-type slow HTTP attacks
#
SecReadStateLimit 100 

#
# Mitigate Slow HTTP POST attacks
#
# Must have the mod_reqtimeout module installed
# You should adjust the RequestReadTimeout body directive setting to a limit
# that will allow any legitimate slow clients or large file uplaods.
#
<IfModule reqtimeout_module>
RequestReadTimeout body=30 
</IfModule>

SecRule RESPONSE_STATUS "@streq 408" "phase:5,id:'981051',t:none,nolog,pass,setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,id:'981052',t:none,log,drop,msg:'Client Connection Dropped due to high # of slow DoS alerts'"