Hello Chris,
Thank you for your answer.
> Apache ships with mod_evasive that allows you do this. I have used
this in the past with some success. The other alternative I am aware of
is to use mod_security.
It looks interesting.
> I am not aware of anything that will run directly in front of tomcat
however - does anyone else have any suggestions? I think that was some
talk of a port of mod_security that was implemented in java (well java
calling the mod_security c library via jni). That might be mature enough
for you to try.
Anyone?
Thanks again and best regards,
--
Léa Massiot
On 2014-06-17 7:45 PM, chris derham wrote:
Léa,
>Below is what I would like to ask you:
>How do you usually protect your "Tomcat" servers and Webapps from (D)DOS
>((Distributed) Denial-of-service) attacks?
If you allow the DOS traffic to make it all the way up to the
application layer before you detect it, then the DOS will still have
an effect. The best way of stopping such traffic is to detect it at a
lower level, and then block at a firewall. Typically this can be done
by counting number of calls coming from a IP address and automatically
blocking if they exceed a threshold.
Apache ships with mod_evasive that allows you do this. I have used
this in the past with some success. The other alternative I am aware
of is to use mod_security. I am not aware of anything that will run
directly in front of tomcat however - does anyone else have any
suggestions? I think that was some talk of a port of mod_security that
was implemented in java (well java calling the mod_security c library
via jni). That might be mature enough for you to try.
HTH
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
