It seems you can easily fix this using any number of servers (
https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks)
but not Jetty which isn't really designed for critical production usage.
However if this is truly critical to your organization there are plenty of
commercial support organisations (http://geoserver.org/support/) who may be
able to help.
All the best
Ian
On 26 May 2017 at 13:25, Himani Aggarwal <[email protected]>
wrote:
> Hi
>
>
>
> I have recently started using GeoServer 2.11
>
>
>
> As part of my organisation’s requirement I had run a security scan on the
> server and found Slow HTTP Denial of Service attack open.
>
>
>
> I tried using DoS filter for jetty as below in webapps/geoserver/web.xml,
> however, the issue still persists and I could not find any other way to
> mitigate this risk on the geoserver.
>
>
>
> Request if you could help me on the ASAP as my urgent release is on a hold
> in the absence of fixing this risk.
>
>
>
> <filter>
>
> <filter-name>DoSFilter</filter-name>
>
> <filter-class>org.eclipse.jetty.servlets.DoSFilter</
> filter-class>
>
> <init-param>
>
> <param-name>maxRequestsPerSec</param-name>
>
> <param-value>30</param-value>
>
> <param-name>delayMs</param-name>
>
> <param-value>0</param-value>
>
> <param-name>maxRequestMs</param-name>
>
> <param-value>10000</param-value>
>
> <param-name>maxIdleTrackerMs</param-name>
>
> <param-value>10000</param-value>
>
>
>
> </init-param>
>
> <async-supported>true</async-supported>
>
> </filter>
>
>
>
> <filter-mapping>
>
> <filter-name>DoSFilter</filter-name>
>
> <url-pattern>/*</url-pattern>
>
> </filter-mapping>
>
>
>
>
>
>
>
> Regards
>
> Himani Aggarwal
>
>
>
> ============================================================
> ================================================================
>
> Disclaimer: This message and the information contained herein is
> proprietary and confidential and subject to the Tech Mahindra policy
> statement, you may review the policy at http://www.techmahindra.com/
> Disclaimer.html externally http://tim.techmahindra.com/tim/disclaimer.html
> internally within TechMahindra.
>
> ============================================================
> ================================================================
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
--
Ian Turton
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
