Issue with Mod security and SecConnReadStateLimit

[sfcheng77]

I am trying to use SecConnReadStateLimit directive to limit the number of connections per IP. If I set the limit to be anything smaller than 256, the website is completely unaccessible. For example, if I set it to 100, here is what I saw from the error log:

[256] of 100 allowed in READ state from 95.133.46.57 - Possible DoS Consumption Attack [Rejected]
[Fri Apr 15 23:23:55.432585 2016] [:warn] [pid 29864] ModSecurity: Access denied with code 400. Too many threads [256] of 100 allowed in READ state from 95.89.152.232 - Possible DoS Consumption Attack [Rejected]
[Fri Apr 15 23:23:55.533879 2016] [:warn] [pid 29840] ModSecurity: Access denied with code 400. Too many threads [256] of 100 allowed in READ state from 1.23.209.87 - Possible DoS Consumption Attack [Rejected]
[Fri Apr 15 23:23:55.545343 2016] [:warn] [pid 29865] ModSecurity: Access denied with code 400. Too many threads [256] of 100 allowed in READ state from 84.176.200.114 - Possible DoS Consumption Attack [Rejected]
[Fri Apr 15 23:23:55.608299 2016] [:warn] [pid 29838] ModSecurity: Access denied with code 400. Too many threads [256] of 100 allowed in READ state from 198.254.253.79 - Possible DoS Consumption Attack [Rejected]

If I set it to 256, the website is accessible but it seems like no limit is applied at all.

Mod Security 2.9.0
WHM 54.0 (build 21)

 

[cPanelMichael]

Hello

Are you able to reproduce this issue when accessing a website associated with another account, or with a static HTML test page on the same domain name?

Thank you.

 

[sfcheng77]

I don't actually want to play with my production server again. It is definitely a bug with mod security. Somebody else has reported it here as well: SecConn[Read/Write]StateLimit Instantly hits limit - ap_get_scoreboard_worker method failing · Issue #843 · SpiderLabs/ModSecurity · GitHub .

I ended up using another mod to solve the problem with mod_limitipconn from mod_limitipconn.c .