Do OWASP CRS modsecurity rules prevent DOS as in these 2 scenarios?

Question

From OWASP CRS (modsecurity) related docs (which I can find in the public domain) I can infer that brute force and DOS protection have been taken care of. However, I am not able to find specific details regarding the rules that prevent DOS. Currently, my server is experiencing brute force attacks of the below kind:

1. Same IP, Same Resource/Page At The Same Time

   aa.bb.cc.dd 2021-04-27T07:01:37

   aa.bb.cc.dd 2021-04-27T07:01:37

   aa.bb.cc.dd 2021-04-27T07:01:37

2. Different IPs With Same Reverse DNS Host, Same Resource/Page At The Same Time. The first two octets of the IPs remain the same.

   aa.bb.cc.dd 2021-04-27T07:01:37

   aa.bb.ee.ff 2021-04-27T07:01:37

   aa.bb.gg.hh 2021-04-27T07:01:37

Can someone experienced with OWASP CRS let me know if such attacks can be prevented with the CRS?

Update: I am using apache 2.4. Regarding CRS, I am using version 3.3.0

Answer 1

You didn't write what HTTP server you use - that's important.

I think there are more solutions for your first item. CRS has the optional DOS protection, see this section of crs.conf. This can be help you in other cases too, eg. the resources are different.

Most HTTP server provides other solutions too, eg. if you use Apache, check the mod_evasive (most distribution provides this as package). I do not know about similar solution for Nginx.

Your second issue is rather a DDOS, because the IP addresses are different.

It's a bit out of scope, but you can check the fail2ban (also supported by most distro) - may be that can help you too.