Re: Punishing bad clients with delays

Tue, 14 May 2019 12:39:00 -0700 

Chris,

On 5/14/2019 12:15 PM, Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

bump

It's hard to see anything with all the commit messages :)

On 5/9/19 12:52, Christopher Schultz wrote:

All,

What are the options we might have to "punish" an HTTP client that
we don't like for some reason?

Specifically, I'd like to be able to write a servlet that ties-up
the response to the client for a while for some bad behavior. For
example, maybe lots of authentication attempts or some other
criteria. Maybe even just a single bad authentication attempt.
How do you identify the bad actor on subsequent requests?  By its IP address? 


I'm thinking of something along these lines:

public void doGet(...) {

...

if(shouldPunishClient(...)) { request.setAttribute("delay-client",
Boolean.TRUE); return; }

... }

Or maybe even specify a time-out.

Then, Tomcat observes that the servlet or filter wants to put the
response into the penalty box and, instead of flushing the
response and (possibly) closing the connection, it just sits-around
for a while, keeping the connection open.
Wouldn't that punish Tomcat by keeping the connection open?  Open the door for DDoS attacks?
I would think that a better way to do it is to flush and close the request immediately, and then block the IP address for X seconds. 


The poller usually waits for data to become available on either end
of the connection and pushes the bytes. How complicated would it be
to put connections into a queue where they wait some amount of
time before being flushed/closed/returned to the connection pool?
In this case, the only stimulus for taking action is the passage of
time, not arrival of data on a stream.

Any thoughts about how this could be done?


You mean as part of the NIO implementation?


Clearly, a simple Thread.sleep() would do the trick in terms of
just making the client wait, but the point would be to make the
client wait without a performance impact on the server.
If you really want to punish a client then send back a "302 http://aol.com"; ;-) 

Best,

Igal



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to