Re: How to protect a Tomcat server/Webapp from (D)DOS attacks
Hello Chris, Thank you for your answer. > Apache ships with mod_evasive that allows you do this. I have used this in the past with some success. The other alternative I am aware of is to use mod_security. It looks interesting. > I am not aware of anything that will run directly in front of tomcat however - does anyone else have any suggestions? I think that was some talk of a port of mod_security that was implemented in java (well java calling the mod_security c library via jni). That might be mature enough for you to try. Anyone? Thanks again and best regards, -- Léa Massiot On 2014-06-17 7:45 PM, chris derham wrote: Léa, >Below is what I would like to ask you: >How do you usually protect your "Tomcat" servers and Webapps from (D)DOS >((Distributed) Denial-of-service) attacks? If you allow the DOS traffic to make it all the way up to the application layer before you detect it, then the DOS will still have an effect. The best way of stopping such traffic is to detect it at a lower level, and then block at a firewall. Typically this can be done by counting number of calls coming from a IP address and automatically blocking if they exceed a threshold. Apache ships with mod_evasive that allows you do this. I have used this in the past with some success. The other alternative I am aware of is to use mod_security. I am not aware of anything that will run directly in front of tomcat however - does anyone else have any suggestions? I think that was some talk of a port of mod_security that was implemented in java (well java calling the mod_security c library via jni). That might be mature enough for you to try. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to protect a Tomcat server/Webapp from (D)DOS attacks
Léa, > Below is what I would like to ask you: > How do you usually protect your "Tomcat" servers and Webapps from (D)DOS > ((Distributed) Denial-of-service) attacks? If you allow the DOS traffic to make it all the way up to the application layer before you detect it, then the DOS will still have an effect. The best way of stopping such traffic is to detect it at a lower level, and then block at a firewall. Typically this can be done by counting number of calls coming from a IP address and automatically blocking if they exceed a threshold. Apache ships with mod_evasive that allows you do this. I have used this in the past with some success. The other alternative I am aware of is to use mod_security. I am not aware of anything that will run directly in front of tomcat however - does anyone else have any suggestions? I think that was some talk of a port of mod_security that was implemented in java (well java calling the mod_security c library via jni). That might be mature enough for you to try. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to protect a Tomcat server/Webapp from (D)DOS attacks
Hello, My question is not really "Tomcat" specific but, as my Webapp is a "Tomcat" Webapp, I thought I should post this question here. Below is what I would like to ask you: How do you usually protect your "Tomcat" servers and Webapps from (D)DOS ((Distributed) Denial-of-service) attacks? At first, I thought I would be able to detect a user's "abnormal" behavior (which is not straightforward by the way...) and then block the user/the IP packets based on their source IP. But then I discovered about "IP spoofing" (changing the IP source in an IP packet before sending it)... So, here is another question: is there a way I could identify precisely an "attacker" and block it? I've been reading things on the Internet for several hours and I couldn't find an answer to that question... I've also been reading about "Deep packet inspection" (DPI) which would (theoretically) allow to detect "abnormal" packets but I don't really know what to think about it... Is it a technique you commonly use? Which tools can be used? Do you have a security strategy/some advices that you can share with me? I know this is a delicate question (and I am not a potential attacker :). Thank you and best regards, -- Léa Massiot - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org