I agree with the NIO connector which gives good results to this problem. Also, on Linux you can configure iptables firewall to limit the number of connections from one IP ( http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable ) I would not rely on Apache for this, since Apache has also its own similar problems on some versions (with proxypass or mod-jk..)
2015-03-15 0:15 GMT+01:00 Christopher Schultz <ch...@christopherschultz.net>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Petr, > > On 3/14/15 3:32 PM, Petr Nemecek wrote: >> Hello, >> >> our webapp, that is deployed in Tomcat 8.0.18, was tested positive >> as vulnerable to the slow http denial of service: "By using a >> single computer, it is possible to establish thousands of >> simultaneous connections and keep them open for a long time. During >> the attack, the server was rendered unavailable." >> >> Any idea what to do with this? > > Using the NIO connector is the best you can do, here. Or, front Tomcat > with a web server that has its own mitigation techniques. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVBMEoAAoJEBzwKT+lPKRYKMwP/iKY9W1YkBQ+qgdYWdcjhD55 > q7T8ssN2ChzU2xkVgiHh2ISZSchoOF3KcPNOnYomRn6/KPYaiSb/PWUmJ4WL0n/i > csSizG6PKV0fj3ZZk6j19QHKvdDNC7ntP6TC2XsK3bxdCG0LGMeZCKJEEihoKO5L > AbgWc9n0DVlKR5s9rMgGzNwjfL9aXva5ZWUY6O0bPb4uay0CcdFrouJLOOHMqjG9 > U8aVZ6Zpf7zYc8C0CYaKp6J9yRxM+RkHFszBuVuRKXB1FWQpFssLK3FugTP7+9Cp > blshbfpmaw6XSLlQcIMpO4uOgdCOg/KX4Dj5nNaXyR64qa4TleHcLy4b21Usaqwb > yVO0tnDlZA9qRGNsN3Djt9ABm5GIiJNsMOUsA7cjfGyaLr+NGKq8sLzXff8Nre4F > TKMIAgtpUp3RhMM6dRtJ/sFpLdtggNWWA0+zYlMDp20f5N4e3qtUAq2orIK3A7lM > FxcUMgajLZKlDoN4NiO26n97MWP0SzkQYj9/IkI5R2Mi9ijsZ+kSSj54pDFnV81C > OEzh7Xxb+8UrPLxLPZBttu1uT7hMZUvJwHJZM/nOLOr+J+vemrbFIg9UGFS1qcIR > pgWQEvANR1TFku6HhcgktQugfI4bEYzYxUsRvmX+CwlouzErIxkDq3S1qCFvMCwJ > jBy234U/r7X4a+P1p8HW > =v4ph > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
