ModSecurity + Modified Naxsi
Performance:
ab -n 1000 http://localhost/oauth/token
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: localhost
Server Port: 80
Document Path: /oauth/token
Document Length: 72 bytes
Concurrency Level: 1
Time taken for tests: 1.873 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 275000 bytes
HTML transferred: 72000 bytes
Requests per second: 533.90 [#/sec] (mean)
Time per request: 1.873 [ms] (mean)
Time per request: 1.873 [ms] (mean, across all concurrent requests)
Transfer rate: 143.38 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 1 2 1.1 1 10
Waiting: 0 2 1.1 1 10
Total: 1 2 1.1 1 10
Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 2
80% 2
90% 3
95% 5
98% 6
99% 6
100% 10 (longest request)
ModSecurity adds ca 50% decrease in request amount processing.
ModSecurity (without any rules) is faster than Modified Naxsi (Naxsi with Common Hacks/Rules) ca 30%.
Modified Naxsi with ca 4k rules (blacklist), similar setup to Modsecurity is ca 98% slower.
Adding next 2k rules to Modified Naxsi decresed performace by 50%
Chain ModSecurity (fastest Blacklist solution) with Modified Naxsi. Seem to be working.
ModSecurity is really fast in blocking Blacklists, also supports Netmask/CIDR.
In Modified Naxsi it would be a rule etc, since it is not that fast at that.
ModSecurity will block bad IPs (blacklist) .... and Modified Naxsi will catch them if they're malicious.
This will be a super-fast setup.
Alternatively, we can block bad ips at the Network Layer with IPTABLES, but this can results in thousands of entries for bigger Netmasks/CIDR. I like the way ModSecurity does it.
iptables -I name 1 -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: 10.1.1.1' -j DROP
Disadvantage is not HTTP message. It will be just dropped.
Below results with webapp and api server
Weapp
Network tests (unreliable)
ab -n 1000 https://webapp/tedssdsd
This is ApacheBench, Version 2.3 <$Revision: 1706008 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking webapp (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: webapp
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Document Path: /tedssdsd
Document Length: 24 bytes
Concurrency Level: 1
Time taken for tests: 59.615 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 164000 bytes
HTML transferred: 24000 bytes
Requests per second: 16.77 [#/sec] (mean)
Time per request: 59.615 [ms] (mean)
Time per request: 59.615 [ms] (mean, across all concurrent requests)
Transfer rate: 2.69 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 34 44 8.0 50 63
Processing: 12 15 2.8 17 28
Waiting: 12 15 2.7 17 28
Total: 46 59 10.6 67 82
Percentage of the requests served within a certain time (ms)
50% 67
66% 69
75% 69
80% 69
90% 71
95% 72
98% 73
99% 74
100% 82 (longest request)
ab -n 1000 https://webapp/tedssdsd
This is ApacheBench, Version 2.3 <$Revision: 1706008 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking webapp (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: webapp
Server Port: 443
SSL/TLS Protocol: TLSv1.2,ECDHE-RSA-AES128-GCM-SHA256,2048,128
Document Path: /tedssdsd
Document Length: 10300 bytes
Concurrency Level: 1
Time taken for tests: 103.070 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 10621724 bytes
HTML transferred: 10300000 bytes
Requests per second: 9.70 [#/sec] (mean)
Time per request: 103.070 [ms] (mean)
Time per request: 103.070 [ms] (mean, across all concurrent requests)
Transfer rate: 100.64 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 34 47 17.4 51 357
Processing: 42 56 11.0 54 192
Waiting: 42 56 11.0 54 192
Total: 78 103 21.7 103 414
Percentage of the requests served within a certain time (ms)
50% 103
66% 107
75% 110
80% 112
90% 119
95% 131
98% 153
99% 164
100% 414 (longest request)
With Modified Naxsi:
ab -n 1000 http://localhost/test
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: localhost
Server Port: 80
Document Path: /test
Document Length: 10300 bytes
Concurrency Level: 1
Time taken for tests: 44.690 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 10599000 bytes
HTML transferred: 10300000 bytes
Requests per second: 22.38 [#/sec] (mean)
Time per request: 44.690 [ms] (mean)
Time per request: 44.690 [ms] (mean, across all concurrent requests)
Transfer rate: 231.61 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 34 45 11.3 42 170
Waiting: 34 45 11.2 42 170
Total: 34 45 11.3 42 170
Percentage of the requests served within a certain time (ms)
50% 42
66% 44
75% 46
80% 48
90% 54
95% 60
98% 72
99% 84
100% 170 (longest request)
Without Modified Naxsi:
ab -n 1000 http://localhost/test
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: localhost
Server Port: 80
Document Path: /test
Document Length: 10300 bytes
Concurrency Level: 1
Time taken for tests: 41.119 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 10599000 bytes
HTML transferred: 10300000 bytes
Requests per second: 24.32 [#/sec] (mean)
Time per request: 41.119 [ms] (mean)
Time per request: 41.119 [ms] (mean, across all concurrent requests)
Transfer rate: 251.72 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 31 41 9.1 39 162
Waiting: 31 41 9.1 39 162
Total: 31 41 9.1 39 162
Percentage of the requests served within a certain time (ms)
50% 39
66% 41
75% 43
80% 44
90% 48
95% 53
98% 65
99% 73
100% 162 (longest request)
With Api Server:
Without Modsecurity
ab -n 1000 http://localhost/oauth/token
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: localhost
Server Port: 80
Document Path: /oauth/token
Document Length: 72 bytes
Concurrency Level: 1
Time taken for tests: 0.674 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 275000 bytes
HTML transferred: 72000 bytes
Requests per second: 1483.35 [#/sec] (mean)
Time per request: 0.674 [ms] (mean)
Time per request: 0.674 [ms] (mean, across all concurrent requests)
Transfer rate: 398.36 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 1 1 0.3 1 7
Waiting: 0 1 0.3 1 7
Total: 1 1 0.3 1 7
Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 1
80% 1
90% 1
95% 1
98% 1
99% 1
100% 7 (longest request)
With
ab -n 1000 http://localhost/oauth/token
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: localhost
Server Port: 80
Document Path: /oauth/token
Document Length: 72 bytes
Concurrency Level: 1
Time taken for tests: 0.947 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 275000 bytes
HTML transferred: 72000 bytes
Requests per second: 1056.51 [#/sec] (mean)
Time per request: 0.947 [ms] (mean)
Time per request: 0.947 [ms] (mean, across all concurrent requests)
Transfer rate: 283.73 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 1 1 0.3 1 7
Waiting: 0 1 0.3 1 7
Total: 1 1 0.3 1 7
Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 1
80% 1
90% 1
95% 1
98% 1
99% 1
100% 7 (longest request)
With Modified Naxsi:
ab -n 1000 http://localhost/oauth/token
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: localhost
Server Port: 80
Document Path: /oauth/token
Document Length: 72 bytes
Concurrency Level: 1
Time taken for tests: 1.330 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 275000 bytes
HTML transferred: 72000 bytes
Requests per second: 751.93 [#/sec] (mean)
Time per request: 1.330 [ms] (mean)
Time per request: 1.330 [ms] (mean, across all concurrent requests)
Transfer rate: 201.93 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 1 1 0.9 1 13
Waiting: 0 1 0.9 1 13
Total: 1 1 0.9 1 13
Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 1
80% 1
90% 2
95% 3
98% 4
99% 5
100% 13 (longest request)
Without Modified Naxsi:
ab -n 1000 http://localhost/oauth/token
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: localhost
Server Port: 80
Document Path: /oauth/token
Document Length: 72 bytes
Concurrency Level: 1
Time taken for tests: 0.693 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 275000 bytes
HTML transferred: 72000 bytes
Requests per second: 1442.71 [#/sec] (mean)
Time per request: 0.693 [ms] (mean)
Time per request: 0.693 [ms] (mean, across all concurrent requests)
Transfer rate: 387.45 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 1 1 0.3 1 6
Waiting: 0 1 0.3 1 6
Total: 1 1 0.3 1 6
Percentage of the requests served within a certain time (ms)
50% 1
66% 1
75% 1
80% 1
90% 1
95% 1
98% 1
99% 1
100% 6 (longest request)
Modified Naxsi with ca 4k rules (blacklist), similar setup to Modsecurity
ab -n 1000 http://localhost/oauth/token
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking localhost (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx
Server Hostname: localhost
Server Port: 80
Document Path: /oauth/token
Document Length: 72 bytes
Concurrency Level: 1
Time taken for tests: 41.173 seconds
Complete requests: 1000
Failed requests: 0
Non-2xx responses: 1000
Total transferred: 275000 bytes
HTML transferred: 72000 bytes
Requests per second: 24.29 [#/sec] (mean)
Time per request: 41.173 [ms] (mean)
Time per request: 41.173 [ms] (mean, across all concurrent requests)
Transfer rate: 6.52 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.0 0 0
Processing: 20 41 8.6 42 191
Waiting: 17 41 8.6 42 191
Total: 20 41 8.6 42 191
Percentage of the requests served within a certain time (ms)
50% 42
66% 44
75% 45
80% 45
90% 46
95% 48
98% 50
99% 55
100% 191 (longest request)