Re: JK2 Connector and denial of service attacks
At 10:36 PM 29/03/2004, you wrote: Henri Gomez wrote: Steve Spicer wrote: On standard install it doesn't. I'm not sure why but it still seems the JK connector is connecting to tomcat even though the access checker hook is returning a 403. Any ideas? I will make some tests on it. I make some tests and I didn't see such problems. The first request to http://mymachine/examples/ were forwarded to tomcat, but the rest was forbideen (403) by mod_dosevasive. I used test.pl provided in mod_dosevasise. Same thing with ab (ApacheBench). So what's your problem ? Although I get 403 status it still seems to be spawning lots of HTTPD's and tomcat takes cpu time, surely if the 403 worked the extra HTTPD would not spwan and tomcat would be unaffected? Im beginning to think I have some config issues, I'll check them all out and get back if theres still an issue. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK2 Connector and denial of service attacks
Steve Spicer wrote: Hey, I've been having some serious problems with brute force denail of service attacks on httpd with tomcat 4 and jk2. After sitting down and working out the desired point of redirection I found the mod_dos module which effectively refuses traffic for these attacks, however after installing this module with JK2 tomcat is still activated for some reason on these repeat requests - I suspected it was the order in which the modules were created but couldn't find an config solution. So I merged the mod_dos module with the JK2 module - the result is an out-of-the-box jk2 module that inherits all of the benefits of the anti-DoS module. If this is considered to be useful (and within the scope) of the JK2 project please let me know! From what I see in mod_dosevasive 1.8, this module only use access_checker hook: ap_hook_access_checker(access_checker, NULL, NULL, APR_HOOK_MIDDLE); Well I'm not sure we should implement mod_dosevasive in jk or jk2, since it's not their 'core' business to handle protection about DOS. But we should garantee that mod_dosevasive and jk/jk2 will works together. There is no real order in such case, since we're not using the same hooks. Gleen and Mladen what's your opinions ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK2 Connector and denial of service attacks
I agree to your point that DoS protection is out of the scope of the connector, I figured though that it would automatically protect tomcat against such attacks in the common httpd / tomcat / jk2 configuration, I'm not sure if I was a clutz in missing this need for protection, if so then this point is probably irrelevent, but if im not then I think its a very important issue. Perhaps it would be better solved with a document included within JK2 detailing the necessity of such protection and how to configure it? At 05:17 PM 29/03/2004, you wrote: Steve Spicer wrote: Hey, I've been having some serious problems with brute force denail of service attacks on httpd with tomcat 4 and jk2. After sitting down and working out the desired point of redirection I found the mod_dos module which effectively refuses traffic for these attacks, however after installing this module with JK2 tomcat is still activated for some reason on these repeat requests - I suspected it was the order in which the modules were created but couldn't find an config solution. So I merged the mod_dos module with the JK2 module - the result is an out-of-the-box jk2 module that inherits all of the benefits of the anti-DoS module. If this is considered to be useful (and within the scope) of the JK2 project please let me know! From what I see in mod_dosevasive 1.8, this module only use access_checker hook: ap_hook_access_checker(access_checker, NULL, NULL, APR_HOOK_MIDDLE); Well I'm not sure we should implement mod_dosevasive in jk or jk2, since it's not their 'core' business to handle protection about DOS. But we should garantee that mod_dosevasive and jk/jk2 will works together. There is no real order in such case, since we're not using the same hooks. Gleen and Mladen what's your opinions ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK2 Connector and denial of service attacks
Steve Spicer wrote: I agree to your point that DoS protection is out of the scope of the connector, I figured though that it would automatically protect tomcat against such attacks in the common httpd / tomcat / jk2 configuration, I'm not sure if I was a clutz in missing this need for protection, if so then this point is probably irrelevent, but if im not then I think its a very important issue. Perhaps it would be better solved with a document included within JK2 detailing the necessity of such protection and how to configure it? Of course, this document would be helpfull if there is special settings. BTW, I wonder if jk2 2.0.4 works or not with mod_dos ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK2 Connector and denial of service attacks
On standard install it doesn't. I'm not sure why but it still seems the JK connector is connecting to tomcat even though the access checker hook is returning a 403. Any ideas? At 09:51 PM 29/03/2004, you wrote: Steve Spicer wrote: I agree to your point that DoS protection is out of the scope of the connector, I figured though that it would automatically protect tomcat against such attacks in the common httpd / tomcat / jk2 configuration, I'm not sure if I was a clutz in missing this need for protection, if so then this point is probably irrelevent, but if im not then I think its a very important issue. Perhaps it would be better solved with a document included within JK2 detailing the necessity of such protection and how to configure it? Of course, this document would be helpfull if there is special settings. BTW, I wonder if jk2 2.0.4 works or not with mod_dos ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK2 Connector and denial of service attacks
Steve Spicer wrote: On standard install it doesn't. I'm not sure why but it still seems the JK connector is connecting to tomcat even though the access checker hook is returning a 403. Any ideas? I will make some tests on it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK2 Connector and denial of service attacks
Henri Gomez wrote: Steve Spicer wrote: On standard install it doesn't. I'm not sure why but it still seems the JK connector is connecting to tomcat even though the access checker hook is returning a 403. Any ideas? I will make some tests on it. I make some tests and I didn't see such problems. The first request to http://mymachine/examples/ were forwarded to tomcat, but the rest was forbideen (403) by mod_dosevasive. I used test.pl provided in mod_dosevasise. Same thing with ab (ApacheBench). So what's your problem ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JK2 Connector and denial of service attacks
Hey, I've been having some serious problems with brute force denail of service attacks on httpd with tomcat 4 and jk2. After sitting down and working out the desired point of redirection I found the mod_dos module which effectively refuses traffic for these attacks, however after installing this module with JK2 tomcat is still activated for some reason on these repeat requests - I suspected it was the order in which the modules were created but couldn't find an config solution. So I merged the mod_dos module with the JK2 module - the result is an out-of-the-box jk2 module that inherits all of the benefits of the anti-DoS module. If this is considered to be useful (and within the scope) of the JK2 project please let me know! Thanks, Steve Spicer. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]