Chris,
On 5/14/2019 12:15 PM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
bump
It's hard to see anything with all the commit messages :)
On 5/9/19 12:52, Christopher Schultz wrote:
All,
What are the options we might have to "punish" an HTTP client that
we don't like for some reason?
Specifically, I'd like to be able to write a servlet that ties-up
the response to the client for a while for some bad behavior. For
example, maybe lots of authentication attempts or some other
criteria. Maybe even just a single bad authentication attempt.
How do you identify the bad actor on subsequent requests? By its IP
address?
I'm thinking of something along these lines:
public void doGet(...) {
...
if(shouldPunishClient(...)) { request.setAttribute("delay-client",
Boolean.TRUE); return; }
... }
Or maybe even specify a time-out.
Then, Tomcat observes that the servlet or filter wants to put the
response into the penalty box and, instead of flushing the
response and (possibly) closing the connection, it just sits-around
for a while, keeping the connection open.
Wouldn't that punish Tomcat by keeping the connection open? Open the
door for DDoS attacks?
I would think that a better way to do it is to flush and close the
request immediately, and then block the IP address for X seconds.
The poller usually waits for data to become available on either end
of the connection and pushes the bytes. How complicated would it be
to put connections into a queue where they wait some amount of
time before being flushed/closed/returned to the connection pool?
In this case, the only stimulus for taking action is the passage of
time, not arrival of data on a stream.
Any thoughts about how this could be done?
You mean as part of the NIO implementation?
Clearly, a simple Thread.sleep() would do the trick in terms of
just making the client wait, but the point would be to make the
client wait without a performance impact on the server.
If you really want to punish a client then send back a "302
http://aol.com" ;-)
Best,
Igal
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org