-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 5/14/19 15:47, Mark Thomas wrote: > On 14/05/2019 20:38, Igal @ Lucee.org wrote: >> On 5/14/2019 12:15 PM, Christopher Schultz wrote: > > <snip/> > >>>> Then, Tomcat observes that the servlet or filter wants to put >>>> the response into the penalty box and, instead of flushing >>>> the response and (possibly) closing the connection, it just >>>> sits-around for a while, keeping the connection open. >> >> Wouldn't that punish Tomcat by keeping the connection open? Open >> the door for DDoS attacks? > > I don't think so. > > An open connection alone isn't going to be enough to trigger a DoS > (on a reasonable configured server). > > It won't make an existing DoS any worse. You'd still need DoS > protection. > > If you do it right, the client will just think the server is being > slow. > >> I would think that a better way to do it is to flush and close >> the request immediately, and then block the IP address for X >> seconds. > > I'd suggest putting the request into async mode with a predefined > timeout and a listener to handle the timeout. > > That way, no extra Tomcat plumbing is required - and your solution > is portable across Servlet containers. That is interesting, but I'd want to trigger it on authentication failure. If using Tomcat's authentication, I don't think the application has an opportunity to intercept, does it? I guess a Filter could work, but the Filter needs to know that the authentication failed. Can a Filter switch a connection from "normal" more to async mode? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzbK7wACgkQHPApP6U8 pFgoPQ//b9wibl2BumN7Savozi5W1lfXxXzWGKpVzchTEG3tT0QNPy7HJkN5Fybz M/OSGFaic/x6FCANzQiK4hgOPlnmjFsadIXmaE/kzHNWOvy6uwWhSlehry3AulIt D8obm4tQwyzRAMad0I0lxUDuhL4KwvAaPSgCWmNJL0SQ57i9TqfI5LgexYEdTtO4 cQ08M7jsDnVjmN2FXXh9hW5LARJvG9pRYno15vjwh8DHeDVDe6UU48xxdSNIvhs8 RCJJs77bL6YIxeBO8d4o1w+2fW6dazT1hzd5WgCA+Vk0P6PEEF+9nkDSlsjMPbgU tsxvmt0CDJcGP/xBHVj4ChyLbxSworWDhqlfSkbZzNckIGhnw8RCZKiwp0ceHsXB /eMndn0NI1SnXzxbOQshjGgmhFfkr1pskq2OoXLOficIGIvrQQkd+ZPxdsfeDLKc SBAaks0Z+4yiK3YGQ4qQ1EcIBvzEouN/Bq7jKkkTTPngkYsGSVw/0ho7ZMeHWZA3 a8aXrliAfcNgKfqWk+IRsK0W7Bqy6UC2bFVneF2qFRNfcd70l90mp4ifSyPwJfQL 5263lIqudlc+oowhOMtkgEhBlqUlcBZ17iJLqSOoR9IG1+DmrmMmjZ4zL3ngCHPc hYN8nEO7VeSEIUcy2V54LlIaLL4uPS5XRn2XnaTzMUsWlOIgw70= =GWCI -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
