On 14/05/2019 20:38, Igal @ Lucee.org wrote: > On 5/14/2019 12:15 PM, Christopher Schultz wrote:
<snip/> >>> Then, Tomcat observes that the servlet or filter wants to put the >>> response into the penalty box and, instead of flushing the >>> response and (possibly) closing the connection, it just sits-around >>> for a while, keeping the connection open. > > Wouldn't that punish Tomcat by keeping the connection open? Open the > door for DDoS attacks? I don't think so. An open connection alone isn't going to be enough to trigger a DoS (on a reasonable configured server). It won't make an existing DoS any worse. You'd still need DoS protection. If you do it right, the client will just think the server is being slow. > I would think that a better way to do it is to flush and close the > request immediately, and then block the IP address for X seconds. I'd suggest putting the request into async mode with a predefined timeout and a listener to handle the timeout. That way, no extra Tomcat plumbing is required - and your solution is portable across Servlet containers. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
