Re: tomcat - thread per connection model
"Rau NF" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi - Not sure about one thing - what if someone opens > up a 100 odd connections and sends data over the pipe > slowly ? This will definitely keep that particular > server (Tomcat 4.1.24) busy for a long time and no new > user can get in. In this case, the throttling logic in > tomcat will probably do nothing. Am I mistaken ? If they send too slowly, the request will timeout (resulting in a fail to the client). However, Tomcat will stay active. > > Also, what is disableUploadTimeout ? I didn't find any > doc. about this. If it is set to false, how can I > configure a longer timeout for reading requests ? I'm really bad at writing docs ;-). If the 'disableUploadTimeout' attribute is set to 'false', then the Socket.setSoTimeout uses the value of the 'connectionUploadTimeout' attribute (which defaults to 5min, like Apache/httpd) to control the timeout after the initial request line has been read. > > Thanks in advance > > > "Rau NF" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Hi - Since tomcat implements a thread per connection > > model (as per the spec), would it be open to a DoS > > attack if it does not have an Apache server in front > > of it ? ie keep all threads busy servicing slow > > requests and valid users can't get in. > > On my tests, Tomcat stands up pretty well to a DoS > attack. It will become > slow if I have one machine saturate it with requests, > but they all > eventually get served. Tomcat 5 has additional logic > to throttle > connections if the load becomes high, so I'd guess > that a DoS attack against > it (with the default settings) is almost impossible > (you would need a DDoS > attack, since one machine couldn't maintain the > concurrency necessary to > shut Tomcat down). > > > > > Assuming there is no apache server in front of > tomcat > > and tomcat is serving everything, what's a > reasonable > > connection timeout value? I know this is application > > specific but it would be interesting to hear about > > this. The goal obviously is to serve as many users > as > > possible without having to create too many threads. > > I tend to use 5sec (which is 5000 in server.xml), > since most of my apps > write back very quickly. Some people prefer 15sec; > The current default for > Tomcat 4 is 1min. Like anything else, it depends on > your app. If you > typically start sending back data that includes links > to images/style-sheets > very quickly, then you want a low number. Even if > not, I prefer to set > disableUploadTimeout="false" to use the longer time to > read the request > body. > > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat - thread per connection model
Hi - Not sure about one thing - what if someone opens up a 100 odd connections and sends data over the pipe slowly ? This will definitely keep that particular server (Tomcat 4.1.24) busy for a long time and no new user can get in. In this case, the throttling logic in tomcat will probably do nothing. Am I mistaken ? Also, what is disableUploadTimeout ? I didn't find any doc. about this. If it is set to false, how can I configure a longer timeout for reading requests ? Thanks in advance "Rau NF" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi - Since tomcat implements a thread per connection > model (as per the spec), would it be open to a DoS > attack if it does not have an Apache server in front > of it ? ie keep all threads busy servicing slow > requests and valid users can't get in. On my tests, Tomcat stands up pretty well to a DoS attack. It will become slow if I have one machine saturate it with requests, but they all eventually get served. Tomcat 5 has additional logic to throttle connections if the load becomes high, so I'd guess that a DoS attack against it (with the default settings) is almost impossible (you would need a DDoS attack, since one machine couldn't maintain the concurrency necessary to shut Tomcat down). > > Assuming there is no apache server in front of tomcat > and tomcat is serving everything, what's a reasonable > connection timeout value? I know this is application > specific but it would be interesting to hear about > this. The goal obviously is to serve as many users as > possible without having to create too many threads. I tend to use 5sec (which is 5000 in server.xml), since most of my apps write back very quickly. Some people prefer 15sec; The current default for Tomcat 4 is 1min. Like anything else, it depends on your app. If you typically start sending back data that includes links to images/style-sheets very quickly, then you want a low number. Even if not, I prefer to set disableUploadTimeout="false" to use the longer time to read the request body. __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat - thread per connection model
"Rau NF" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi - Since tomcat implements a thread per connection > model (as per the spec), would it be open to a DoS > attack if it does not have an Apache server in front > of it ? ie keep all threads busy servicing slow > requests and valid users can't get in. On my tests, Tomcat stands up pretty well to a DoS attack. It will become slow if I have one machine saturate it with requests, but they all eventually get served. Tomcat 5 has additional logic to throttle connections if the load becomes high, so I'd guess that a DoS attack against it (with the default settings) is almost impossible (you would need a DDoS attack, since one machine couldn't maintain the concurrency necessary to shut Tomcat down). > > Assuming there is no apache server in front of tomcat > and tomcat is serving everything, what's a reasonable > connection timeout value? I know this is application > specific but it would be interesting to hear about > this. The goal obviously is to serve as many users as > possible without having to create too many threads. I tend to use 5sec (which is 5000 in server.xml), since most of my apps write back very quickly. Some people prefer 15sec; The current default for Tomcat 4 is 1min. Like anything else, it depends on your app. If you typically start sending back data that includes links to images/style-sheets very quickly, then you want a low number. Even if not, I prefer to set disableUploadTimeout="false" to use the longer time to read the request body. > > Thanks in advance > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat - thread per connection model
Hi - Since tomcat implements a thread per connection model (as per the spec), would it be open to a DoS attack if it does not have an Apache server in front of it ? ie keep all threads busy servicing slow requests and valid users can't get in. Assuming there is no apache server in front of tomcat and tomcat is serving everything, what's a reasonable connection timeout value? I know this is application specific but it would be interesting to hear about this. The goal obviously is to serve as many users as possible without having to create too many threads. Thanks in advance __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
