How does Tomcat handle a slow HTTP DoS?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How does Tomcat handle a slow HTTP DoS?

Brett Elliott-3
It is described here:

http://ha.ckers.org/slowloris/

Basically the attacker invokes thousands of connections, slowly sending
header after header until the server has exhausted resources, most
likely threads. Can tomcat use nio to process the headers then create a
thead and execute the webapp?



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How does Tomcat handle a slow HTTP DoS?

markt
Brett wrote:
> It is described here:
>
> http://ha.ckers.org/slowloris/

For those that aren't aware this is a well know and understood issue
that has been around for quite some time. This is just a re-hash that,
for whatever reason, is getting more attention than it probably warrants.

> Basically the attacker invokes thousands of connections, slowly sending
> header after header until the server has exhausted resources, most
> likely threads. Can tomcat use nio to process the headers then create a
> thead and execute the webapp?

Like httpd and any other web server, how a Tomcat server reacts to this
pattern of requests depends very much on configuration. You are correct
that the NIO connector should handle this more gracefully (note I
haven't tested it) as it uses non-blocking IO to read the request
headers. That said, all that really does move the goal posts.

If you make enough requests then at some point you will hit a resource
limit. With the BIO and APR connectors this is very likely to be
threads. For the NIO connector my guess (again I haven't tested it) is
that the limit would be sockets.

Whilst you could spend a lot of time tuning Tomcat (or any other web
server) to better handle this scenario there are easier ways to achieve
the same goal. Any half-decent firewall will provide connection rate
limiting which would kill this attack stone dead.

That moves the problem to how to handle a Distributed DOS attack rather
than a simple DOS and that is somewhat harder. There are solutions
available but they tend to cost $$$. On the other hand, if you site is
valuable enough to be the target of a determined DDOS then you should be
thinking about investing in some form of DDOS protection.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]