Skip to content

modsecurity "failing open" with a large number of requests #3

Open
@mac-chaffee

Description

@mac-chaffee

Looks like if an SPOP request to modsecurity exceeds the timeout processing, the request will be allowed to proceed. Is there some way of configuring HAProxy to "fail closed" when it encounters a timeout?

Here's an example of the behavior. I sent 300 requests, 100 at a time to an haproxy server. This server is using spoa-modsecurity with timeout processing 1s set:

$ hey -n 300 -c 100 -T "text/html" 'https://<myhost>?p=/etc/passwd'

Summary:
  Total:	1.2475 secs
  Slowest:	1.0317 secs
  Fastest:	0.0204 secs
  Average:	0.1325 secs
  Requests/sec:	240.4834

  Total data:	26319 bytes
  Size/request:	87 bytes

Response time histogram:
  0.020 [1]	|
  0.122 [212]	|■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
  0.223 [70]	|■■■■■■■■■■■■■
  0.324 [0]	|
  0.425 [0]	|
  0.526 [0]	|
  0.627 [0]	|
  0.728 [0]	|
  0.829 [0]	|
  0.931 [0]	|
  1.032 [17]	|■■■               <---------- NOTE


Latency distribution:
  10% in 0.0310 secs
  25% in 0.0442 secs
  50% in 0.0670 secs
  75% in 0.1245 secs
  90% in 0.1611 secs
  95% in 1.0182 secs
  99% in 1.0309 secs

Details (average, fastest, slowest):
  DNS+dialup:	0.0245 secs, 0.0204 secs, 1.0317 secs
  DNS-lookup:	0.0012 secs, 0.0000 secs, 0.0046 secs
  req write:	0.0000 secs, 0.0000 secs, 0.0007 secs
  resp wait:	0.1061 secs, 0.0203 secs, 1.0315 secs
  resp read:	0.0000 secs, 0.0000 secs, 0.0002 secs

Status code distribution:
  [200]	17 responses               <---------- NOTE
  [403]	283 responses

Note how 17 requests took slightly longer than 1 second to process, but instead of being denied (403) by modsecurity for trying to access /etc/passwd, the requests went through (200).

This might be a separate issue, but the request distribution also looks suspicious. I'd expect to have a long tail of requests between 0.2 and 1.0 seconds, but instead it's a sharp cliff. Maybe there's some other limit being hit here which causes modsecurity to lock up? I'm running modsecurity with "-n 16" worker threads on a VM with 4 CPUs, for context.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions