Forum

Here to say that i'm encountering the same problem reported by Anton on the last post.
Challenge mode seems to block also legitimate browsers as Google Chrome, either in httpheader and in javascript mode.

For the ChallengeClient mode to work, the browser must accept cookies (when in httpheader mode) or not block Javascript (when in javascript mode). Otherwise, it will block the client as well. But this only happens when the connection threshold is reached. So, set the threshold high enough, to make sure that normal busy hours don't trigger this mechanism.

You should only use this option if you occasionally are suffering from (D)DoS attacks. A security rule that has no valid reason for existence can only cause trouble and will never bring any good.

Ok, but if it blocks common browsers at all, it would be useless since there's the connection limit per IP option which covers this.
Are you sure that most browsers will accept the javascript? My default Google Chrome seems to ignore it.

I meant that it is a very great protection in order to know if many connections from the same IP are really generated by a browser or if they are simply bots.

any idea?

I'm not sure if most browsers accept Javascript. Also because there are a lot of plugins which can block Javascript. The connection limit per IP helps protect against a DoS. But a DDoS is different. That's why I included the ChallengeClient option. Personally, I don't think that it's a bad thing that the ChallengeClient option blocks some valid clients during a DDoS, because otherwise all clients would be blocked.