Brief
I have been trying to write rules to protect a website from DoS attacks and the website have only one page /index.php. However, each user is identified by an unique token like this /index.php?a=abcdef. This page sends a lot of ajax calls that gets and posts information, periodically, as long as the user is active in the page.
Problem
During a DoS attack, I need to block only the specific user using the token ?a=abcdef, which is dynamic. And the actual length of the token is around 45 characters, consisting of [a-zA-Z0-9]. The website is visited by either a single user or user group (more than 10 users) from an IP address. The problem is, during a DoS attack, when blocking the user, I need to take the token into consideration. However, as far as I understand, unless I use a dynamic variable like, tx.dos_counter_%{ARGS_GET}=+1, I may not be able to identify an user uniquely. But when I reference the variable like this,%{tx.dos_counter_%{ARGS_GET}} to retrieve the value of the dynamic variable, it returns null.
Questions
- Is it possible to use dynamic variables, as mentioned above, in ModSecurity?
- Is there any other way to handle this problem?
Miscellaneous
This website runs on LAMP stack (Ubuntu) with ModSecurity.
Please help me solve this issue.
Many thanks in advance.
Thanks,
Daniel