Loading large amount of images make modSecurity anti-DDoS crazy

Hi :slight_smile:

I have setup NC for my personnal use, and because it is accessible over Internet I added modSecurity with OWASP Core Rule Set. With some tunning evrything work great except for DDoS protection:

When I load a large amount of family picture (650 files for 4GB) to view them all in browser, modSecurity’s DDoS rules goes crazy and I have a lot errors like this in my Apache log file:

[Mon Feb 11 17:08:24.775736 2019] [:error] [pid 26266:tid 139680477705984] [client <X.X.X.X>:62256] [client <X.X.X.X>] ModSecurity: Access denied with connection close (phase 1). Operator EQ matched 0 at IP. [file "/etc/httpd/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf"] [line "111"] [id "912120"] [msg "Denial of Service (DoS) attack identified from <X.X.X.X> (2 hits since last alert)"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-dos"] [hostname "nextcloud.XXXXXX.net"] [uri "/ocs/v2.php/apps/notifications/api/v2/notifications"] [unique_id "XXXXX@XXXXXXXXXXXXXXXX"]

Befor disabeling DDoS protection, does anyone has a similar issue? Any idea of tunning?

Set up:

  • NextCloud 15
  • Apache HTTPD 2.4 / MariaDB on updated Archlinux
  • modSecurity 2.9 / OWASP Core Rule Set 3.0