C
CrowdSec2mo ago
KibbelKing

detect flooding

Hey everyone! I need help designing a scenario for a very specific use case and I'm not sure if it's even possible with CrowdSec's bucket types. What I want to detect: - Ban IPs that send 17+ POST requests within 1 second (burst attack) - Allow IPs that spread their requests over longer periods Examples: - 17 POST requests in 1 second → BAN ✓ - 17 POST requests in 2 seconds → ALLOW ✓ - 36 POST requests over 18 seconds → ALLOW ✓ - 346 POST requests over 2 hours → ALLOW ✓ What I've tried: 1. Leaky bucket with capacity: 16, leakspeed: 1s: - Problem: It accumulates events over time, so 36 events in 18s triggers a ban (not what I want) My question: Is there a way to detect "X or more events within exactly Y seconds" without triggering on lower rates over longer periods? Should I: - Use a different bucket configuration? - Write a custom parser that calculates the rate and emits special events? - Accept that this isn't possible with scenarios? Any guidance would be really appreciated! Thanks!
14 Replies
CrowdSec
CrowdSec2mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
GNU Plus Windows User
GNU Plus Windows User2mo ago
This is not possible with a leaky bucket, the whole point of it is to better detect slow attacks. A leaky bucket will leak one event after X amount of seconds. You have two options here: 1. Increase the bucket capacity 2. Reduce the leak speed to something like 0.5 seconds Option 2 is probably want you want if you want to detect very high volume requests
KibbelKing
KibbelKingOP2mo ago
Okay, thank you. Unfortunately, that doesn't have the desired effect either. tried option 2: 
INFO[2025-11-05T12:57:00+01:00] Ip 62.209.38.148 performed ‘crowdsecurity/http-post-flood’ (17 events over 2s) at 2025-11-04 07:23:00 +0100 CET 
INFO[2025-11-05T12:57:00+01:00] Ip 62.209.38.148 performed ‘crowdsecurity/http-post-flood’ (51 events over 20s) at 2025-11-04 11:04:35 +0100 CET 
INFO[2025-11-05T12:57:00+01:00] Ip 62.209.38.148 performed ‘crowdsecurity/http-post-flood’ (17 events over 2s) at 2025-11-04 07:23:00 +0100 CET 
INFO[2025-11-05T12:57:00+01:00] Ip 62.209.38.148 performed ‘crowdsecurity/http-post-flood’ (51 events over 20s) at 2025-11-04 11:04:35 +0100 CET
Option 1 only reduces the amount of reported incidents. 
INFO[2025-11-05T13:01:53+01:00] Ip 62.209.38.148 performed 'crowdsecurity/http-post-flood' (38 events over 10s) at 2025-11-04 11:06:37 +0100 CET
INFO[2025-11-05T13:01:53+01:00] Ip 62.209.38.148 performed 'crowdsecurity/http-post-flood' (38 events over 10s) at 2025-11-04 11:06:37 +0100 CET
Would it be possible to use a combination of parser and scenario to map something like this? 
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3565 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3564 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3575 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3581 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3580 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3576 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3579 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3564 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3565 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3566 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3567 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3582 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3575 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3563 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3557 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3578 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3580 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3555 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3574 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3565 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3564 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3575 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3581 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3580 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3576 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3579 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3564 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3565 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3566 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3567 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3582 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3575 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3563 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3557 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3578 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3580 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3555 "-" "Laminas\\Http\\Client"
62.209.38.148 - - [04/Nov/2025:07:23:00 +0100] "POST / HTTP/1.1" 200 3574 "-" "Laminas\\Http\\Client"
blotus
blotus2mo ago
Just to make sure I understand, you want to only detect something making more than 17 requests per second, but not (random number) 40 in 3 seconds ?
KibbelKing
KibbelKingOP2mo ago
yes, as soon as more than 17 requests per second are done, the ip should get banned.
Loz
Loz2mo ago
Wouldnt it be better to implement a rate limit on the reverse proxy, then you could just detect rate limit abusers instead?
KibbelKing
KibbelKingOP2mo ago
I do not use any reverse proxy, simple apache setup
Loz
Loz2mo ago
well apache is webserver / reverse proxy and has mod_ratelimit but I dont know if we support the rate limit logs from apache2
KibbelKing
KibbelKingOP2mo ago
Thank you, I'll take a look at mod_ratelimit.
Loz
Loz2mo ago
However, you can also do within a scenario but it will not as performant and could cost alot in memory to track alot of items. 
# http rapid POST flooding detection
type: conditional
name: crowdsecurity/http-rapid-post-flood
description: "Detect rapid HTTP POST flooding (exactly 17 requests with median interval <2s)"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type == 'http_access-log' && evt.Meta.http_verb == 'POST'"
groupby: evt.Meta.source_ip
capacity: -1
condition: |
    len(queue.Queue) == 17 &&
    MedianInterval(map(queue.Queue[-17:], {#.Time})) < duration("1s")
leakspeed: 1s
blackhole: 5m
labels:
  service: http
  behavior: "http:flood"
  spoofable: 0
  confidence: 3
  classification:
    - attack.T1499
  label: "HTTP Rapid POST Flood"
  remediation: true
# http rapid POST flooding detection
type: conditional
name: crowdsecurity/http-rapid-post-flood
description: "Detect rapid HTTP POST flooding (exactly 17 requests with median interval <2s)"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type == 'http_access-log' && evt.Meta.http_verb == 'POST'"
groupby: evt.Meta.source_ip
capacity: -1
condition: |
    len(queue.Queue) == 17 &&
    MedianInterval(map(queue.Queue[-17:], {#.Time})) < duration("1s")
leakspeed: 1s
blackhole: 5m
labels:
  service: http
  behavior: "http:flood"
  spoofable: 0
  confidence: 3
  classification:
    - attack.T1499
  label: "HTTP Rapid POST Flood"
  remediation: true
generated by our MCP tool for quick mockup no guarantees it will work or not explode performance
KibbelKing
KibbelKingOP2mo ago
That's a pity :), it reacts similarly to leaky. 
INFO[2025-11-05T13:31:55+01:00] Ip 62.209.38.148 performed 'crowdsecurity/ http-rapid-post-flood' (17 events over 11s) at 2025-11-04 07:23:00 +0100 CET 
INFO[2025-11-05T13:31:55+01:00] Ip 62.209.38.148 performed ‘crowdsecurity/http-rapid-post-flood’ (17 events over 26s) at 2025-11-04 11:00:15 +0100 CET 
INFO[2025-11-05T13:31:55+01:00] Ip 62.209.38.148 performed ‘crowdsecurity/http-rapid-post-flood’ (17 events over 4s) at 2025-11-04 11:06:31 +0100 CET 
INFO[2025-11-05T13:31:55+01:00] Ip 62.209.38.148 performed 'crowdsecurity/ http-rapid-post-flood' (17 events over 11s) at 2025-11-04 07:23:00 +0100 CET 
INFO[2025-11-05T13:31:55+01:00] Ip 62.209.38.148 performed ‘crowdsecurity/http-rapid-post-flood’ (17 events over 26s) at 2025-11-04 11:00:15 +0100 CET 
INFO[2025-11-05T13:31:55+01:00] Ip 62.209.38.148 performed ‘crowdsecurity/http-rapid-post-flood’ (17 events over 4s) at 2025-11-04 11:06:31 +0100 CET
Loz
Loz2mo ago
oops the mcp forgot an important part I updated it but yeah it a pretty niche case to detect, there probably more things you could tweak like capacity. However, being honest dont know what happens when a conditional has reached it capacity if the events are fifo
KibbelKing
KibbelKingOP2mo ago
Ok thank you, I will do some more testing with this example. It still detecs 2s and 4s, but looks better over all. INFO[2025-11-05T13:41:04+01:00] Ip 62.209.38.148 performed 'crowdsecurity/http-rapid-post-flood' (17 events over 2s) at 2025-11-04 11:09:24 +0100 CET And thank you for the hint to the mcp server. 👍
GNU Plus Windows User
GNU Plus Windows User2mo ago
you can do a combination of both, raise the capacity and lower the leak speed. The leak speed can be lower than 0.5 seconds, you have to tweak the values to find values right for your environment.

Did you find this page helpful?