What is the highest average damage that a level 10 character can deal in response to being hit or damaged?


Typically, you deal damage by hitting the other guy with a stick (or a fireball) [citation needed]; however, spells like fire shield damage enemies who hit you:

In addition, whenever a creature within 5 feet of you hits you with a melee attack, the shield erupts with flame. The attacker takes 2d8 fire damage from a warm shield, or 2d8 cold damage from a cold shield.

Similarly, hellish rebuke allows you to damage enemies in response to them damaging you. Either way, the enemy wouldn’t have taken damage if they chose to just ignore you. This leads to my question: what is the highest average damage that a level 10 character can deal in response to being hit or damaged?



  • Level 10.
  • May use the PHB and one of the following: EE, MToF, SCAG, VGtM, or XGtE. This restriction extends to spells, as well. (If the spell is one your build allows you to copy from a scroll or spellbook, however, you may pick it from any of those sources.)
  • No variant rules besides multiclassing, feats, and variant human.
  • Up to three magic items from DMG Tables F or G with a maximum rarity of Rare.


  • Four encounters; Combat 1, Combat 2, Short Rest, Combat 3, Combat 4 (each of these events is separated by 30 minutes). The Short Rest is mandatory.
  • Each combat encounter has you face off against two earth elementals. These elementals do not have any damage vulnerabilities, damage immunities, or condition immunities. They keep their damage resistances.
  • Each combat lasts three rounds. All participants get a turn in each round.
  • Enemies move next to the PC and attack normally.
  • Enemies do not make opportunity attacks.
  • For the sake of simplicity, treat enemies and the PC as if they had infinite health.
  • You may not use the Ready action. (Mainly to prevent "I ready blight for when I get damaged" from being the best answer.)
  • Any spell or ability that lasts 10 minutes or longer may be activated before entering combat. Any spell or ability that lasts longer than 8 hours may be activated the day before.
  • You may not spend more than 100 gp on spells that consume costly material components. (So casting identify and find familiar is fine, because identify doesn’t consume its costly component, but casting glyph of warding is not.)
  • You never lose concentration as a result of taking damage.
  • Allies cannot help you, unless you summon/create them yourself (via conjure animals, animate dead, etc.)

Damage calculation

  • Damage should be the average damage per round over the course of the adventuring day.
  • Only count damage dealt to enemies (the earth elementals) in direct response to, and in the same turn as, being hit or damaged. Hellish rebuke is fine. The extra damage dealt by absorb elements is not. You may still deal damage in other ways (in case it’s necessary for setup), you just can’t count it in the total.

SQLmap finds injectable ‘id’ parameter but the response is ‘Internal Server Error’

I am trying to understand the SQLi so I ran SQLMap with ‘-vvv’ parameter

4: Show also HTTP requests.

I did scan one of the vulnerable and ‘free to hack’ sites. In one of the requests sent, the response from SQLmap was:

[22:25:10] [DEBUG] got HTTP error code: 500 (‘Internal Server Error’)

[22:25:10] [INFO] GET parameter ‘id’ appears to be ‘AND boolean-based blind – WHERE or HAVING clause’ injectable (with –code=200)

I tried to use same payload GET /showforum.asp?id=1%20AND%20%28SELECT%20CHR%28116%29%7C%7CCHR%28100%29%7C%7CCHR%2885%29%7C%7CCHR%28111%29%20FROM%20SYSIBM.SYSDUMMY1%29%3D%27tdUo%27 in Burp but it keeps throwing me 500 error.

Can someone explain me how did excatly SQLmap come to this conclusion that parameter ID is injectable, while there was an error? I tried to compare different 500 error responses, but no difference between this specific payload ant other ones.

Any answer will be appreciated, thanks.

Adding Expect-CT header to HTTP response

In the security test report, I have a recommendation to add Expect-CT header to the HTTP response from web application, additionally developers set this to:

Expect-CT: max-age=0, report-uri=

I am not sure if it is a good idea to add this header. According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT:

“The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.”

So because certificates are expected to support SCTs by default I do not think that this header makes any sense.

When it comes to configuration according to https://scotthelme.co.uk/a-new-security-header-expect-ct/ max-age=0, report-uri= means:

“This policy is deployed in report-only mode and if the browser doesn’t receive CT information that it’s happy with, referred to as not being ‘CT Qualified’, rather than terminate the connection it will simply send a report to the specified report-uri value.”

Because I don’t have uri here, the report will not be sent, so there is no additional security at all.

On the other hand I see that some popular websites like Linkedin still use this header, the example from Linkedin:

Expect-CT: max-age=86400, report-uri="https://www.linkedin.com/platform-telemetry/ct"

Can the Shield spell be cast in response to being hit by an invisible enemy?

Let’s say I have a PC with the shield spell. I’m not surprised, and an invisible enemy hits me with an attack. My DM has not yet told me the attack roll number, so I am in a position to cast shield if I choose to.

However, the enemy is invisible, so would I be able to cast shield in response to an attacker I can’t see? Let’s assume the attacker is permanently invisible, like they’re using the greater invisibility spell. On the one hand, the shield spell simply says:

1 Reaction*
* – which you take when you are hit by an attack or targeted by the magic missile spell

There’s no mention of needing to see the creature.

On the other hand, it seems wrong to me that I can react to an attack I can’t see coming.

Are there any rules I’ve missed that would prevent the shield spell from being cast in this scenario?

Block SYN,ACK response with iptables

I have a virtual environment and I am making a SYN flood attack to a Ubuntu Server’s port 53 using Kali 2020.

I realized that a countermeasure for this attack is to limit or block the responses to the SYN packets, which are the SYN,ACK.

But how can I do this with iptables?

What else should be done to prevent that kind of attacks?

modest 2.9.2 – response body: transformed: dechunked

I would appreciate if someone can point me to the right way solving this

Have a POST for a refresh token and modsec closes the connection(?) — the browser goes into an endless loop back and forth ; using apache 2.4.6 and modsec 2.9.2 in centos 7.

  1. Can I disable modsec engine completely for this request?

  2. Doesn’t say “rule matched” in the H header and K section in audit lists so many rules to post here (but can post if someone needs it)

--522ec87e-F-- HTTP/1.1 400 Bad Request X-Frame-Options: SAMEORIGIN Cache-Control: no-store Pragma: no-cache X-Frame-Options: SAMEORIGIN Access-Control-Expose-Headers: Access-Control-Allow-Methods Access-Control-Allow-Origin: https://mysite.com Access-Control-Allow-Credentials: true Content-Type: application/json Content-Length: 69 X-XSS-Protection: 1; mode=block Connection: close     --522ec87e-H-- Apache-Handler: proxy-server Stopwatch: 1585504125443097 26443 (- - -) Stopwatch2: 1585504125443097 26443; combined=7503, p1=367, p2=6899, p3=71, p4=124, p5=41, sr=64, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. Server: Apache Engine-Mode: "ENABLED"  --522ec87e-Z-- 

Increase of Googlebot response time after CDN implementation

Problem: We have a site hosted in Germany that is suffixed with “.de”. Recently, we implemented a CDN with Cloudflare. Shortly after our Googlebot response times increased from 60-100ms to 400-500ms. We noticed that the origin from Googlebot requests come from the US. However, this is the usual case as we learned.

There are solution to overcome this, e.g. Caching. However, our goal is to understand the underlying change that led to the increase. We have reviewed a lot of our config in the last days and haven’t yet understood the problem. Cloudflare uses anycast ips, thus a website can not necessarily be geolocated.

Our current hypothesis: The Googlebot takes into account that a site is hosted on a different continent and subtracts a certain amount of response time.

Question aim: Receive hints what to look for to understand the underlying cause.