DOI: 10.3390/app16136460 ISSN: 2076-3417

Log Analysis and Evaluation of DoS Attacks in ModSecurity-Based Web Application Firewalls

Mustafa Kara

Within the scope of this article, security threats against web applications and the effects of Web Application Firewall (WAF) usage on security were examined. The aim of the study is to evaluate the effectiveness of the open-source ModSecurity-based WAF structure against application layer attacks and Denial of Service (DoS) attacks. For this purpose, a test environment with an Ubuntu and Apache2-based reverse proxy architecture was created, and HTTP traffic was analyzed using the OWASP Core Rule Set (CRS), custom security rules, and the mod_qos module. In the experimental studies, SQL Injection, Cross-Site Scripting (XSS), and DoS attack scenarios were applied, and custom ModSecurity rules operating on HTTP parameters, URI, and request body were also developed and tested. The obtained results were evaluated through log records and system performance metrics. When ModSecurity was disabled, it was observed that total CPU usage reached the level of 83% during the DoS attack. After ModSecurity and mod_qos configurations were enabled, CPU usage was determined to have decreased to the level of 25%. Log analyses showed that ModSecurity and OWASP CRS rules successfully analyzed attack traffic and detected abnormal request behaviors and protocol violations. In addition, it was verified that the developed custom rules successfully blocked requests with the HTTP 403 status code in tests performed on HTTP parameters, URI, and request body. It was observed that while the security mechanisms limited attack traffic, they did not block legitimate user access and normal client requests continued to be processed successfully. The experimental results show that the ModSecurity-based WAF architecture provides an effective security solution in terms of detecting attack traffic, protecting system resources, and ensuring service continuity.

More from our Archive