mod_sec rule for X-forwarded-for blocking

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux 5.5

Issue

mod_sec rule for X-forwarded-for blocking
Description

we are having some nastiness with what appeared to be a distributed (500+ ip's) coming at us from a fake ip, crawling our production site.

we are looking for some help constructing a mod_sec rule that would block by X-Forwarded-For or something similar. the production site has been up and and down since early am.

thanks in advance,

Resolution

Customer determined that mod_security was not the proper solution for this instance. The attack appears to not be a denial of service attack but a crude, distributed screen scrap/search engine like crawling that did not appear to be originating from legitimate search engines. Because the ip's appeared to be coming from behind a proxies, there was concern that a rule like the sample mod_security rule would block all proxy traffic:

   SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" "log,deny,status:403,t:lowercase,msg:'Proxy Server Used'"

Customer instead decided to use the following re-write rule in this case:

RewriteCond %{HTTP:X-FORWARDED-FOR} ^ip_address$
    #RewriteCond %{HTTP:X-FORWARDED-FOR} ^another_ip_address$ [OR]
    RewriteRule .* - [F]

This will work as long as a different proxy IP address is not used.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.