Hi - Not sure about one thing - what if someone opens up a 100 odd connections and sends data over the pipe slowly ? This will definitely keep that particular server (Tomcat 4.1.24) busy for a long time and no new user can get in. In this case, the throttling logic in tomcat will probably do nothing. Am I mistaken ?
Also, what is disableUploadTimeout ? I didn't find any doc. about this. If it is set to false, how can I configure a longer timeout for reading requests ? Thanks in advance ------------------------------------------------ "Rau NF" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi - Since tomcat implements a thread per connection > model (as per the spec), would it be open to a DoS > attack if it does not have an Apache server in front > of it ? ie keep all threads busy servicing slow > requests and valid users can't get in. On my tests, Tomcat stands up pretty well to a DoS attack. It will become slow if I have one machine saturate it with requests, but they all eventually get served. Tomcat 5 has additional logic to throttle connections if the load becomes high, so I'd guess that a DoS attack against it (with the default settings) is almost impossible (you would need a DDoS attack, since one machine couldn't maintain the concurrency necessary to shut Tomcat down). > > Assuming there is no apache server in front of tomcat > and tomcat is serving everything, what's a reasonable > connection timeout value? I know this is application > specific but it would be interesting to hear about > this. The goal obviously is to serve as many users as > possible without having to create too many threads. I tend to use 5sec (which is 5000 in server.xml), since most of my apps write back very quickly. Some people prefer 15sec; The current default for Tomcat 4 is 1min. Like anything else, it depends on your app. If you typically start sending back data that includes links to images/style-sheets very quickly, then you want a low number. Even if not, I prefer to set disableUploadTimeout="false" to use the longer time to read the request body. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]