Brett wrote: > It is described here: > > http://ha.ckers.org/slowloris/
For those that aren't aware this is a well know and understood issue that has been around for quite some time. This is just a re-hash that, for whatever reason, is getting more attention than it probably warrants. > Basically the attacker invokes thousands of connections, slowly sending > header after header until the server has exhausted resources, most > likely threads. Can tomcat use nio to process the headers then create a > thead and execute the webapp? Like httpd and any other web server, how a Tomcat server reacts to this pattern of requests depends very much on configuration. You are correct that the NIO connector should handle this more gracefully (note I haven't tested it) as it uses non-blocking IO to read the request headers. That said, all that really does move the goal posts. If you make enough requests then at some point you will hit a resource limit. With the BIO and APR connectors this is very likely to be threads. For the NIO connector my guess (again I haven't tested it) is that the limit would be sockets. Whilst you could spend a lot of time tuning Tomcat (or any other web server) to better handle this scenario there are easier ways to achieve the same goal. Any half-decent firewall will provide connection rate limiting which would kill this attack stone dead. That moves the problem to how to handle a Distributed DOS attack rather than a simple DOS and that is somewhat harder. There are solutions available but they tend to cost $$$. On the other hand, if you site is valuable enough to be the target of a determined DDOS then you should be thinking about investing in some form of DDOS protection. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
