"Rau NF" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi - Since tomcat implements a thread per connection > model (as per the spec), would it be open to a DoS > attack if it does not have an Apache server in front > of it ? ie keep all threads busy servicing slow > requests and valid users can't get in.
On my tests, Tomcat stands up pretty well to a DoS attack. It will become slow if I have one machine saturate it with requests, but they all eventually get served. Tomcat 5 has additional logic to throttle connections if the load becomes high, so I'd guess that a DoS attack against it (with the default settings) is almost impossible (you would need a DDoS attack, since one machine couldn't maintain the concurrency necessary to shut Tomcat down). > > Assuming there is no apache server in front of tomcat > and tomcat is serving everything, what's a reasonable > connection timeout value? I know this is application > specific but it would be interesting to hear about > this. The goal obviously is to serve as many users as > possible without having to create too many threads. I tend to use 5sec (which is 5000 in server.xml), since most of my apps write back very quickly. Some people prefer 15sec; The current default for Tomcat 4 is 1min. Like anything else, it depends on your app. If you typically start sending back data that includes links to images/style-sheets very quickly, then you want a low number. Even if not, I prefer to set disableUploadTimeout="false" to use the longer time to read the request body. > > Thanks in advance > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
