My first choice would be to decide not to respond from within
an AbstractHandler's handle() method, after examining the
(HttpServlet)Request. But if there's another place we can examine the
request (ideally in Java), that would work too. Right now I've got some
code like:
object MyHandler: AbstractHandler() {
override fun handle(target: String,
baseRequest: Request,
request: HttpServletRequest,
response: HttpServletResponse) {
val rawPath = request.getPathInfo()
// We don't have any PHP files. Any attempt to access one is
hacking.
if ( rawPath.endsWith(".php") ) {
logger.info("BOGUS Request: [${request.pathInfo}]")
randomLengthNap()
// 503 - Service Unavailable SC_SERVICE_UNAVAILABLE
// I think this is the most ambiguous way to say, "go away."
response.status = HttpServletResponse.SC_SERVICE_UNAVAILABLE
response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE)
return
This seems to work, but I'd prefer not to respond at all to these
requests. I'd also prefer not to tie up a thread with the nap duration.
Being able to say something like, request.doNotDignifyThisWithAResponse()
would be ideal, but I don't know how to do that.
Instead of (in addition to) watching what attacks we get and adding them
over time, I'm also looking into Web Application Firewalls from Imperva,
Akamai, and Cloudflare, so if you think that's a better way to solve this
issue (or there is another non-jetty alternative I should consider) let me
know.
--
Glen K. Peterson
(828) 393-0081
_______________________________________________
jetty-users mailing list
[email protected]
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
