Do you manage Apache based web server farms with Web Application Firewall (WAF) requirements that revolve primarily around a need for central thresholding/rate limiting features? Have you found an open source WAF solution that fulfills this need? Well if you haven't, I take extra special joy in the public sharing of two open projects that I'm involved with, serving the roles of cheerleader ;), tester and injecting scope creep whenever possible to solve various forms of abuse.
Mark Thomas has accomplished some excellent work on a pair of tools consisting of an Apache2 module 'mod_webfw2' and the 'Thrasher' central rate limiting engine. These tools provide a web application firewall with dynamic rule update features making the "dreaded server farm bounce to enable new or modified rules" a thing of the past. Mod_webfw2 with Thrasher support also make trivial the task of tracking abusive clients across server farms whether those farms consist of one, several or hundreds of hosts.

The tools suite has been deployed successfully in stomping out automated, distributed attacks on web apps that include (and are not limited to) Account Registration interfaces, Authentication, Webmail, Search engines, Comment/Guestbook/Article abuse, Proxy servers and Web Scraper abuse mitigation. While I would never be so foolish as to call these tools an HTTP DDoS silver bullet, we have seen the technology-pair successfully deployed as a mitigation against HTTP resource utilization DoS attacks.

Mod_webfw2/Thrasher does not intend to replace or compete with the deep inspection engine available in the open source mod_security, but they operate quite complementary to one another when you have requirements for the advanced features of mod_security along with the need for centralized rate limiting.

The mod_webfw2 and thrasher project is seeking project testers and contributors.

[All of Article]

The link for this article located at SANS is no longer available.