Re: tomcat - thread per connection model
Hi - Not sure about one thing - what if someone opens up a 100 odd connections and sends data over the pipe slowly ? This will definitely keep that particular server (Tomcat 4.1.24) busy for a long time and no new user can get in. In this case, the throttling logic in tomcat will probably do nothing. Am I mistaken ? Also, what is disableUploadTimeout ? I didn't find any doc. about this. If it is set to false, how can I configure a longer timeout for reading requests ? Thanks in advance Rau NF [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi - Since tomcat implements a thread per connection model (as per the spec), would it be open to a DoS attack if it does not have an Apache server in front of it ? ie keep all threads busy servicing slow requests and valid users can't get in. On my tests, Tomcat stands up pretty well to a DoS attack. It will become slow if I have one machine saturate it with requests, but they all eventually get served. Tomcat 5 has additional logic to throttle connections if the load becomes high, so I'd guess that a DoS attack against it (with the default settings) is almost impossible (you would need a DDoS attack, since one machine couldn't maintain the concurrency necessary to shut Tomcat down). Assuming there is no apache server in front of tomcat and tomcat is serving everything, what's a reasonable connection timeout value? I know this is application specific but it would be interesting to hear about this. The goal obviously is to serve as many users as possible without having to create too many threads. I tend to use 5sec (which is 5000 in server.xml), since most of my apps write back very quickly. Some people prefer 15sec; The current default for Tomcat 4 is 1min. Like anything else, it depends on your app. If you typically start sending back data that includes links to images/style-sheets very quickly, then you want a low number. Even if not, I prefer to set disableUploadTimeout=false to use the longer time to read the request body. __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat - thread per connection model
Rau NF [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi - Not sure about one thing - what if someone opens up a 100 odd connections and sends data over the pipe slowly ? This will definitely keep that particular server (Tomcat 4.1.24) busy for a long time and no new user can get in. In this case, the throttling logic in tomcat will probably do nothing. Am I mistaken ? If they send too slowly, the request will timeout (resulting in a fail to the client). However, Tomcat will stay active. Also, what is disableUploadTimeout ? I didn't find any doc. about this. If it is set to false, how can I configure a longer timeout for reading requests ? I'm really bad at writing docs ;-). If the 'disableUploadTimeout' attribute is set to 'false', then the Socket.setSoTimeout uses the value of the 'connectionUploadTimeout' attribute (which defaults to 5min, like Apache/httpd) to control the timeout after the initial request line has been read. Thanks in advance Rau NF [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi - Since tomcat implements a thread per connection model (as per the spec), would it be open to a DoS attack if it does not have an Apache server in front of it ? ie keep all threads busy servicing slow requests and valid users can't get in. On my tests, Tomcat stands up pretty well to a DoS attack. It will become slow if I have one machine saturate it with requests, but they all eventually get served. Tomcat 5 has additional logic to throttle connections if the load becomes high, so I'd guess that a DoS attack against it (with the default settings) is almost impossible (you would need a DDoS attack, since one machine couldn't maintain the concurrency necessary to shut Tomcat down). Assuming there is no apache server in front of tomcat and tomcat is serving everything, what's a reasonable connection timeout value? I know this is application specific but it would be interesting to hear about this. The goal obviously is to serve as many users as possible without having to create too many threads. I tend to use 5sec (which is 5000 in server.xml), since most of my apps write back very quickly. Some people prefer 15sec; The current default for Tomcat 4 is 1min. Like anything else, it depends on your app. If you typically start sending back data that includes links to images/style-sheets very quickly, then you want a low number. Even if not, I prefer to set disableUploadTimeout=false to use the longer time to read the request body. __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat - thread per connection model
Hi - Since tomcat implements a thread per connection model (as per the spec), would it be open to a DoS attack if it does not have an Apache server in front of it ? ie keep all threads busy servicing slow requests and valid users can't get in. Assuming there is no apache server in front of tomcat and tomcat is serving everything, what's a reasonable connection timeout value? I know this is application specific but it would be interesting to hear about this. The goal obviously is to serve as many users as possible without having to create too many threads. Thanks in advance __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat - thread per connection model
Rau NF [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi - Since tomcat implements a thread per connection model (as per the spec), would it be open to a DoS attack if it does not have an Apache server in front of it ? ie keep all threads busy servicing slow requests and valid users can't get in. On my tests, Tomcat stands up pretty well to a DoS attack. It will become slow if I have one machine saturate it with requests, but they all eventually get served. Tomcat 5 has additional logic to throttle connections if the load becomes high, so I'd guess that a DoS attack against it (with the default settings) is almost impossible (you would need a DDoS attack, since one machine couldn't maintain the concurrency necessary to shut Tomcat down). Assuming there is no apache server in front of tomcat and tomcat is serving everything, what's a reasonable connection timeout value? I know this is application specific but it would be interesting to hear about this. The goal obviously is to serve as many users as possible without having to create too many threads. I tend to use 5sec (which is 5000 in server.xml), since most of my apps write back very quickly. Some people prefer 15sec; The current default for Tomcat 4 is 1min. Like anything else, it depends on your app. If you typically start sending back data that includes links to images/style-sheets very quickly, then you want a low number. Even if not, I prefer to set disableUploadTimeout=false to use the longer time to read the request body. Thanks in advance __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]