Re: Slow http denial of service
Christopher, there are several questions in the same thread.. The first one about SlowLoris was answered a long ago ( http://tomcat.10.x6.nabble.com/is-tomcat-6-0-35-vulnerable-to-CVE-2007-6750-td585.html ). On the contrary, for fast connections opening (DOS), we can configure the firewall in order to temporarily ban an IP if it has reached something like 20 connections/second. The problem becomes more difficult if we're facing a DDOS : if the trafic is good old HTTP then we must challenge our clients (catpcha, javascript) then we know who we have to ban (F5 products can do that, or use Cloudflare/AKAMAI). If it's not HTTP (IP spoofing, DNS recursive requests,..) we need to configure the router or the entrance firewall. I believe there is no cheap solution to fight against a 300G/s flood. >What about non-users? Blocked by router/firewall if they were sending something really stupid so I don't have any idea about how many of them. Google bots and others, even not 1% of trafic. We had several crash because of too much trafic when thousands of people were connecting at the same time to get a special news from the company. This doesn't happen anymore after buying servers 20 times more powerfull, but I'm not working there anymore. 2015-03-16 21:09 GMT+01:00 Christopher Schultz : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Aurélien, > > On 3/16/15 9:16 AM, Aurélien Terrestris wrote: >> As browsers (at least the ones I know) open 2 connections to >> browse websites > > That number has been bigger than 2 for quite a while, now: > > http://stackoverflow.com/questions/985431/max-parallel-http-connections-in-a-browser > > We aren't talking about nice clients, here, though, but clients that > are intentionally trying to bring-down a site. The maximum number of > connections a legit web browser will open to a single host/IP is not > relevant. > >> we could have a look on the hourly stats and estimate this (under >> 100 without problem). I never met such problem anyway, the highest >> traffic being 120 000 different users/day. > > What about non-users? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVBzhjAAoJEBzwKT+lPKRYyiMQAMoied29A55351fkrU5HHdkR > nILbSHhxH0UGiCAw+Fcp8SNdP7lD5mLiRH8+Mn9Vlp7TkK8AfQIRPWTwj605RRME > c9e0VWFnNmMvDbKL+DhyMHKTK/c7LgVABh9l7v5JbiSUBtnyQNeQDBtep4Q5oxuz > +P6t7PbDWILLntVHdcUxNMJQFiQkI1VRQ3dYPGu2kRxXTOk7OpHSqZkNhq2XCpH5 > /isZlTJtU02l9GqFb3cNFWc2vM94Lp2ATVfUs6vZdYnUQ1oSrUdsWAy76CKdNjII > HY5KUiRmyNtxY2JDHlqbcjA7rmOOTcb+68T1qy4ZSmQmDLaBuBR0ajWHOgJ4Btp8 > bUgk+4yB32Af8IZ3sr4Asa8aMf1LTNx+1x6TVO0en5VD4WwFbGZ5EdZmW/SZdvWY > 0Bu/RNgaydK/Jac5A4RKlEFfP4VJz/r0ST4Cxqq3t1UC0OHS46SFDg0gwXAnEuSt > Qsk71YeuWJG8zolL05pXqSehr836H1s7FjG2rych1mwa53T+Agx8+5Cp/zd3fv59 > zJ2ivJ7Cr2JAm4CInx7ic0cTuqmjOneRJIKb9WYSzHMoGLw+IVyx3v3Ykru/XlM9 > AOfi5zENQ2tVDKCUBgNSdYd/amS6VNliFzbhkw0/cDYvw7HffxNw6Xd43wg388wG > VrSu31Roqi3bRVr15Mwl > =/YWE > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Slow http denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Aurélien, On 3/16/15 9:16 AM, Aurélien Terrestris wrote: > As browsers (at least the ones I know) open 2 connections to > browse websites That number has been bigger than 2 for quite a while, now: http://stackoverflow.com/questions/985431/max-parallel-http-connections-in-a-browser We aren't talking about nice clients, here, though, but clients that are intentionally trying to bring-down a site. The maximum number of connections a legit web browser will open to a single host/IP is not relevant. > we could have a look on the hourly stats and estimate this (under > 100 without problem). I never met such problem anyway, the highest > traffic being 120 000 different users/day. What about non-users? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVBzhjAAoJEBzwKT+lPKRYyiMQAMoied29A55351fkrU5HHdkR nILbSHhxH0UGiCAw+Fcp8SNdP7lD5mLiRH8+Mn9Vlp7TkK8AfQIRPWTwj605RRME c9e0VWFnNmMvDbKL+DhyMHKTK/c7LgVABh9l7v5JbiSUBtnyQNeQDBtep4Q5oxuz +P6t7PbDWILLntVHdcUxNMJQFiQkI1VRQ3dYPGu2kRxXTOk7OpHSqZkNhq2XCpH5 /isZlTJtU02l9GqFb3cNFWc2vM94Lp2ATVfUs6vZdYnUQ1oSrUdsWAy76CKdNjII HY5KUiRmyNtxY2JDHlqbcjA7rmOOTcb+68T1qy4ZSmQmDLaBuBR0ajWHOgJ4Btp8 bUgk+4yB32Af8IZ3sr4Asa8aMf1LTNx+1x6TVO0en5VD4WwFbGZ5EdZmW/SZdvWY 0Bu/RNgaydK/Jac5A4RKlEFfP4VJz/r0ST4Cxqq3t1UC0OHS46SFDg0gwXAnEuSt Qsk71YeuWJG8zolL05pXqSehr836H1s7FjG2rych1mwa53T+Agx8+5Cp/zd3fv59 zJ2ivJ7Cr2JAm4CInx7ic0cTuqmjOneRJIKb9WYSzHMoGLw+IVyx3v3Ykru/XlM9 AOfi5zENQ2tVDKCUBgNSdYd/amS6VNliFzbhkw0/cDYvw7HffxNw6Xd43wg388wG VrSu31Roqi3bRVr15Mwl =/YWE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Slow http denial of service
As browsers (at least the ones I know) open 2 connections to browse websites, we could have a look on the hourly stats and estimate this (under 100 without problem). I never met such problem anyway, the highest trafic being 120 000 different users/day. If you really have to face DDOS as said by Christopher, you would have to use something like cloudflare. For very big sites, AKAMAI,.. 2015-03-16 13:50 GMT+01:00 David kerber : > On 3/16/2015 8:41 AM, Robert Klemme wrote: >> >> On Sun, Mar 15, 2015 at 10:07 AM, Aurélien Terrestris >> >> >>> wrote: >> >> >>> I agree with the NIO connector which gives good results to this >>> problem. Also, on Linux you can configure iptables firewall to limit >>> the number of connections from one IP ( >>> >>> >>> http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable >>> ) >>> >> >> What I find difficult about this approach is that because of NAT the >> number >> of individual machines (and hence connections that are reasonable) behind >> a >> single IP can vary vastly. What value will you pick to not discriminate >> large organizations? > > > That is a reasonable question, but the owner of a web site should have some > idea of who their clients are, and have a feel for a reasonable number to > allow. Obviously a site with a large clientele will be able to handle a > larger number of connections, whether they're legit or not. > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Slow http denial of service
On 3/16/2015 8:41 AM, Robert Klemme wrote: On Sun, Mar 15, 2015 at 10:07 AM, Aurélien Terrestris wrote: I agree with the NIO connector which gives good results to this problem. Also, on Linux you can configure iptables firewall to limit the number of connections from one IP ( http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable ) What I find difficult about this approach is that because of NAT the number of individual machines (and hence connections that are reasonable) behind a single IP can vary vastly. What value will you pick to not discriminate large organizations? That is a reasonable question, but the owner of a web site should have some idea of who their clients are, and have a feel for a reasonable number to allow. Obviously a site with a large clientele will be able to handle a larger number of connections, whether they're legit or not. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Slow http denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert, On 3/16/15 8:41 AM, Robert Klemme wrote: > On Sun, Mar 15, 2015 at 10:07 AM, Aurélien Terrestris > > wrote: > >> I agree with the NIO connector which gives good results to this >> problem. Also, on Linux you can configure iptables firewall to >> limit the number of connections from one IP ( >> >> http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable >> >> ) >> > > What I find difficult about this approach is that because of NAT > the number of individual machines (and hence connections that are > reasonable) behind a single IP can vary vastly. What value will you > pick to not discriminate large organizations? Or anyone using a service like AOL which proxies everyone through a small number of IP addresses. If you are worried about a DOS but not a DDOS, you aren't being honest with yourself. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVBs/xAAoJEBzwKT+lPKRYwjMQAI9nL3jhu1C+3yD4b5mmGpmQ 1+YXu71FHpC31M4/a5mQNkoa+n1UFJ9BUJx46TuamFBfoh34Y2IIzQCgrK6MDEjv PhF+/67+xTEeGhjGdN941aLvuJrM4EaMsc1/SPOpct9XEadf4RehdNCj7C4b1CIA BrH5ZvUYJNInaiZSl6ypIHkZ2JaeebdNvtuH5OMzQPPjuM30iCuNZPr++mzLjIDu 7H820ykyB34zUUbhAfZUaogoM2TAqevDUwCNp6aPbZLm4wQjilgLweGM+dJmVFMq onuNPTC11sVIYc3SyIZljPWeuz7I9yXStobFgLLFzWKKiaw8rj/Kd5SewCYe1DWJ IQfe0ZOOCqixU/uLVMUq5D2ch0U3ujDxrVnYds5ojXP57ZvmBW1PhJjzQag+Z2L/ rK4p/IZzNMjli8MeX4NkzV4iu/eGxfaKE2EZ+agAl9Hw9BLY4K6VvZSLIimk4PYE wy3VBQy97KwaVP1FvTHHCSWABpkKYZornDBobwn4kmSXJwVux0r2atCiFRNE4ry6 Fsa+XnHtKj3ui1X6R4QkiUgXXJaHQhLLeBjKGCZB5HNfNMTOrce/agWC1Q6u1Fv/ Gaxv1ls1nB9KiW7XN4H4NQ2fa+2z6pv8RMOgnnlCAlgd70Wq9a+fGKI2Bwdakaed Eax7olF7+ucQw8YmkXCV =OJJX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Slow http denial of service
On Sun, Mar 15, 2015 at 10:07 AM, Aurélien Terrestris wrote: > I agree with the NIO connector which gives good results to this > problem. Also, on Linux you can configure iptables firewall to limit > the number of connections from one IP ( > > http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable > ) > What I find difficult about this approach is that because of NAT the number of individual machines (and hence connections that are reasonable) behind a single IP can vary vastly. What value will you pick to not discriminate large organizations? Kind regards robert
Re: Slow http denial of service
I agree with the NIO connector which gives good results to this problem. Also, on Linux you can configure iptables firewall to limit the number of connections from one IP ( http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable ) I would not rely on Apache for this, since Apache has also its own similar problems on some versions (with proxypass or mod-jk..) 2015-03-15 0:15 GMT+01:00 Christopher Schultz : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Petr, > > On 3/14/15 3:32 PM, Petr Nemecek wrote: >> Hello, >> >> our webapp, that is deployed in Tomcat 8.0.18, was tested positive >> as vulnerable to the slow http denial of service: "By using a >> single computer, it is possible to establish thousands of >> simultaneous connections and keep them open for a long time. During >> the attack, the server was rendered unavailable." >> >> Any idea what to do with this? > > Using the NIO connector is the best you can do, here. Or, front Tomcat > with a web server that has its own mitigation techniques. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVBMEoAAoJEBzwKT+lPKRYKMwP/iKY9W1YkBQ+qgdYWdcjhD55 > q7T8ssN2ChzU2xkVgiHh2ISZSchoOF3KcPNOnYomRn6/KPYaiSb/PWUmJ4WL0n/i > csSizG6PKV0fj3ZZk6j19QHKvdDNC7ntP6TC2XsK3bxdCG0LGMeZCKJEEihoKO5L > AbgWc9n0DVlKR5s9rMgGzNwjfL9aXva5ZWUY6O0bPb4uay0CcdFrouJLOOHMqjG9 > U8aVZ6Zpf7zYc8C0CYaKp6J9yRxM+RkHFszBuVuRKXB1FWQpFssLK3FugTP7+9Cp > blshbfpmaw6XSLlQcIMpO4uOgdCOg/KX4Dj5nNaXyR64qa4TleHcLy4b21Usaqwb > yVO0tnDlZA9qRGNsN3Djt9ABm5GIiJNsMOUsA7cjfGyaLr+NGKq8sLzXff8Nre4F > TKMIAgtpUp3RhMM6dRtJ/sFpLdtggNWWA0+zYlMDp20f5N4e3qtUAq2orIK3A7lM > FxcUMgajLZKlDoN4NiO26n97MWP0SzkQYj9/IkI5R2Mi9ijsZ+kSSj54pDFnV81C > OEzh7Xxb+8UrPLxLPZBttu1uT7hMZUvJwHJZM/nOLOr+J+vemrbFIg9UGFS1qcIR > pgWQEvANR1TFku6HhcgktQugfI4bEYzYxUsRvmX+CwlouzErIxkDq3S1qCFvMCwJ > jBy234U/r7X4a+P1p8HW > =v4ph > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Slow http denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Petr, On 3/14/15 3:32 PM, Petr Nemecek wrote: > Hello, > > our webapp, that is deployed in Tomcat 8.0.18, was tested positive > as vulnerable to the slow http denial of service: "By using a > single computer, it is possible to establish thousands of > simultaneous connections and keep them open for a long time. During > the attack, the server was rendered unavailable." > > Any idea what to do with this? Using the NIO connector is the best you can do, here. Or, front Tomcat with a web server that has its own mitigation techniques. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVBMEoAAoJEBzwKT+lPKRYKMwP/iKY9W1YkBQ+qgdYWdcjhD55 q7T8ssN2ChzU2xkVgiHh2ISZSchoOF3KcPNOnYomRn6/KPYaiSb/PWUmJ4WL0n/i csSizG6PKV0fj3ZZk6j19QHKvdDNC7ntP6TC2XsK3bxdCG0LGMeZCKJEEihoKO5L AbgWc9n0DVlKR5s9rMgGzNwjfL9aXva5ZWUY6O0bPb4uay0CcdFrouJLOOHMqjG9 U8aVZ6Zpf7zYc8C0CYaKp6J9yRxM+RkHFszBuVuRKXB1FWQpFssLK3FugTP7+9Cp blshbfpmaw6XSLlQcIMpO4uOgdCOg/KX4Dj5nNaXyR64qa4TleHcLy4b21Usaqwb yVO0tnDlZA9qRGNsN3Djt9ABm5GIiJNsMOUsA7cjfGyaLr+NGKq8sLzXff8Nre4F TKMIAgtpUp3RhMM6dRtJ/sFpLdtggNWWA0+zYlMDp20f5N4e3qtUAq2orIK3A7lM FxcUMgajLZKlDoN4NiO26n97MWP0SzkQYj9/IkI5R2Mi9ijsZ+kSSj54pDFnV81C OEzh7Xxb+8UrPLxLPZBttu1uT7hMZUvJwHJZM/nOLOr+J+vemrbFIg9UGFS1qcIR pgWQEvANR1TFku6HhcgktQugfI4bEYzYxUsRvmX+CwlouzErIxkDq3S1qCFvMCwJ jBy234U/r7X4a+P1p8HW =v4ph -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Slow http denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 3/14/2015 12:32 PM, Petr Nemecek wrote: > Hello, > > our webapp, that is deployed in Tomcat 8.0.18, was tested positive > as vulnerable to the slow http denial of service: "By using a > single computer, it is possible to establish thousands of > simultaneous connections and keep them open for a long time. During > the attack, the server was rendered unavailable." > > Any idea what to do with this? > > Many thanks, Petr Nemecek Google the following: tomcat 7 slow loris mitigation There are several discussions on how to mitigate this. Bugzilla entry for Tomcat 6.0.36: https://bz.apache.org/bugzilla/show_bug.cgi?id=54263 Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6750 It looks like suitably a suitably configured firewall or mod_reqtimeout http://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html are the available solutions. . . . just my two cents /mde/ -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJVBJleAAoJEEFGbsYNeTwtODYH/14GPkOUZ8Kt2up6CbhQVQQW nMgZ5dqh9XtsJ/ov+MNuvrf7DQqK0T5Bb/X6Eh1f1yH62efXREnVDumEmjcdFDwu vwucjnRobvRoUPb74/neBm2cMgVX7LwKIQVCHO0oRilO5gn8fPAGgeGTP8Ci7YQS lJcaecWwEBlpPWzTS1SGDpicsYdq1zdg6SbhWM+35Qt4BAoVMYX3cE2y0KmusS9l dFN/V2z6TA5tSv4/mR0Ho9I0t6AcrraVUHnWJbZ6GL7KcLfQeFROQHu0+9SBW1aI l2V1/gQj1my571PaZNGdst/0855A7eRJ4nd/qOo1J4DHWn1i8ockKlAUTULyBi4= =Yyqi -END PGP SIGNATURE- --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Slow http denial of service
Hello, our webapp, that is deployed in Tomcat 8.0.18, was tested positive as vulnerable to the slow http denial of service: "By using a single computer, it is possible to establish thousands of simultaneous connections and keep them open for a long time. During the attack, the server was rendered unavailable." Any idea what to do with this? Many thanks, Petr Nemecek - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org