How to stop DoS attacks to my Tomcat based app? Should I use Apache HTTPD or NGINX behind Tomcat?

[Brian Braun <br...@gmail.com>]

Hi,



This is my infrastructure, from the point of view of what my
users/attackers are facing:



- Amazon web service Elastic Load balancer

- 2 or more Ubuntu Linux VPSs behind the load balancer

- IPTables running inside Ubuntu

- JVM 1.6.0_35-b10

- Tomcat 7.0.33

- My app, running inside Tomcat



I want to stop if one person starts making an excesive amount of requests
to my app, maybe because he needs to make all those requests but didn’t
know there is a service limit in the RestFul service I'm providing, maybe
because he doesn’t care about the service limits, or maybe because he wants
to attack me with a DoS.

I can do it at the app level using a servlet filter and I'm already
filtering them by IPs there, but that is not the best solution because the
http requests will go all the way to my app, causing a lot of work to the
previous layers (from the OS to the app).

I can also do it at the Tomcat level using valves even at the engine level,
but the same concern applies here: too much previous effort. Besides that,
I can not update the offending IPs registered in the valve in a
programmatic way (as I can do using servler filters and a MySQL database
containing the offending IPs).

I can NOT do it at the IPTables level, because the real IP address is in
the "x_forwarded_for" header and IPTables deals with TCP/IP, not with HTTP.
Or at least, even if there is a way to create a rule, it will not run in an
efficient way.

I will NOT be able to do it a the load balancer level, because Amazon
doesn't allow us the stop some IPs there, not to mention a way to stop a
DoS.



I have been doing some reasearch, and it seems that I have two good
options: Installing Apache HTTPD server or NGINX, before Tomcat. I know a
lot about Tomcat, but almost nothing about Apache HTTPD and nothing about
NGINX. Which one would you recommend me? This is what I’m looking for:



- To be able to evaluate the x_forwarded_for header to recognize the real
IP address (because there will be a load balancer behind)

- To be able to limit the rate of request based on the IP making it enter
my site at a slower rate, or if that is not possible to reject the excesive
requests.

- To place this new layer (HTTPD or NGINX) between the load balancer and
Tomcat, so Tomcat will still run the app. My app has been written in Java
and I love java/Tomcat, so this will definitely existing.

- Speed, low resources consumption (mainly CPU and RAM), stability,
reliability.

- Easy to learn, install and maintain.


Which one would you recommend, Apache or NGINX? I guess it would be better
to use Apache because of all the documentation and information out there,
and It would not harm me to finally learn about Apache. But I read
somewhere that NGINX is specially fast and light in doing this (stopping
Dos). However, I read that it is easier to connect HTTPD and Tomcat while
it is not that easy NGINX/Tomcat.
Or is there a better solution to stop users making an excesive amount of
requests, using just Tomcat? Is there a filter somewhere that could help
me, or a valve I haven't heard of?



Tia,



Brian

Re: How to stop DoS attacks to my Tomcat based app? Should I use Apache HTTPD or NGINX behind Tomcat?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Brian,

On 1/12/13 6:56 PM, Brian Braun wrote:
> I can NOT do it at the IPTables level, because the real IP address
> is in the "x_forwarded_for" header and IPTables deals with TCP/IP,
> not with HTTP. Or at least, even if there is a way to create a
> rule, it will not run in an efficient way.

What makes you think that using a bizarre iptables configuration to
check X-Forwarded-For headers would be slower in iptables than, say,
httpd or nginx?

Are you using SSL between the lb and Tomcat? If so, then iptables
almost definitely won't work (or will be a total pain, as you say).

> I will NOT be able to do it a the load balancer level, because
> Amazon doesn't allow us the stop some IPs there, not to mention a
> way to stop a DoS.

You can do it, but it's a total PITA because you have to reverse all
your inbound rules. They don't currently offer blacklisting, it seems :(

> I have been doing some reasearch, and it seems that I have two
> good options: Installing Apache HTTPD server or NGINX, before
> Tomcat. I know a lot about Tomcat, but almost nothing about Apache
> HTTPD and nothing about NGINX. Which one would you recommend me?

Don't overlook squid, which was built for HTTP proxying.

On 1/13/13 8:22 AM, André Warnier wrote:> Brian Braun wrote:
> Based on these elements, I would recommend having a look at 
> mod_evasive in Apache httpd.

I would also recommend looking at mod_qos, which is a separate package
not included with httpd.

> Note that all 3 connection methods above already include options
> for load-balancing the Tomcat back-ends, if you would see any
> advantage in suppressing the "Amazon web service Elastic Load
> balancer" layer.

NB: I've been evaluating ELB versus httpd-based lb and it turns out
that an ELB costs a bit more than a "tiny" EC2 instance that could
probably handle everything you need for an httpd-based lb. On the
other hand, ELB gives you an lb that you don't have to configure and
keep up-to-date, other than maintaining the back-end server list and
keeping the SSL certificate(s) up-to-date (if you need that kind of
thing).

> To restate the obvious : No matter at which level you do the 
> rate-limiting or DOS-protection, it is going to cost some overhead 
> somewhere. Generally-speaking however, if the point is to limit
> and discard at the request level, it is better to do it as early
> as possible.

+1

I'm actually quite surprised that Amazon doesn't offer blacklisting as
part of the ELB setup.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlD0QR4ACgkQ9CaO5/Lv0PA6KACfVuVRZvAiBj366z/zp88B6bsX
yFwAmgKgESUzgKIAgow09KgTY8hDai2P
=/3Ns
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to stop DoS attacks to my Tomcat based app? Should I use Apache HTTPD or NGINX behind Tomcat?

[André Warnier <aw...@ice-sa.com>]

Brian Braun wrote:
> Hi,
> 
> 
> 
> This is my infrastructure, from the point of view of what my
> users/attackers are facing:
> 
> 
> 
> - Amazon web service Elastic Load balancer
> 
> - 2 or more Ubuntu Linux VPSs behind the load balancer
> 
> - IPTables running inside Ubuntu
> 
> - JVM 1.6.0_35-b10
> 
> - Tomcat 7.0.33
> 
> - My app, running inside Tomcat
> 
> 
> 
> I want to stop if one person starts making an excesive amount of requests
> to my app, maybe because he needs to make all those requests but didn’t
> know there is a service limit in the RestFul service I'm providing, maybe
> because he doesn’t care about the service limits, or maybe because he wants
> to attack me with a DoS.
> 
> I can do it at the app level using a servlet filter and I'm already
> filtering them by IPs there, but that is not the best solution because the
> http requests will go all the way to my app, causing a lot of work to the
> previous layers (from the OS to the app).
> 
> I can also do it at the Tomcat level using valves even at the engine level,
> but the same concern applies here: too much previous effort. Besides that,
> I can not update the offending IPs registered in the valve in a
> programmatic way (as I can do using servler filters and a MySQL database
> containing the offending IPs).
> 
> I can NOT do it at the IPTables level, because the real IP address is in
> the "x_forwarded_for" header and IPTables deals with TCP/IP, not with HTTP.
> Or at least, even if there is a way to create a rule, it will not run in an
> efficient way.
> 
> I will NOT be able to do it a the load balancer level, because Amazon
> doesn't allow us the stop some IPs there, not to mention a way to stop a
> DoS.
> 
> 
> 
> I have been doing some reasearch, and it seems that I have two good
> options: Installing Apache HTTPD server or NGINX, before Tomcat. I know a
> lot about Tomcat, but almost nothing about Apache HTTPD and nothing about
> NGINX. Which one would you recommend me? This is what I’m looking for:
> 
> 
> 
> - To be able to evaluate the x_forwarded_for header to recognize the real
> IP address (because there will be a load balancer behind)
> 
> - To be able to limit the rate of request based on the IP making it enter
> my site at a slower rate, or if that is not possible to reject the excesive
> requests.
> 
> - To place this new layer (HTTPD or NGINX) between the load balancer and
> Tomcat, so Tomcat will still run the app. My app has been written in Java
> and I love java/Tomcat, so this will definitely existing.
> 
> - Speed, low resources consumption (mainly CPU and RAM), stability,
> reliability.
> 
> - Easy to learn, install and maintain.
> 
> 
> Which one would you recommend, Apache or NGINX? I guess it would be better
> to use Apache because of all the documentation and information out there,
> and It would not harm me to finally learn about Apache. But I read
> somewhere that NGINX is specially fast and light in doing this (stopping
> Dos). However, I read that it is easier to connect HTTPD and Tomcat while
> it is not that easy NGINX/Tomcat.
> Or is there a better solution to stop users making an excesive amount of
> requests, using just Tomcat? Is there a filter somewhere that could help
> me, or a valve I haven't heard of?
> 

Thank you for the good description above.

Based on these elements, I would recommend having a look at mod_evasive in Apache httpd.
Google for "apache mod_security ubuntu".
(Those two are often configured together)

Connecting Apache httpd and Tomcat can be done using either
- mod_proxy and mod_proxy_http (if you want to stick to HTTP between Apache httpd and Tomcat)
- mod_proxy and mod_proxy_ajp (using the AJP protocol between Apache httpd and Tomcat)
- mod_jk (also using the AJP protocol between Apache httpd and Tomcat)
The choice between the last 2 is a matter of specific needs, convenience and preference.
There is quite of lot of previous discussion available in the list archives about this 
choice of Apache/Tomcat connectors.
All of them are easy to install in Ubuntu, as there are standard apt packages for all of them.

Note that all 3 connection methods above already include options for load-balancing the 
Tomcat back-ends, if you would see any advantage in suppressing the "Amazon web service 
Elastic Load balancer" layer.

To restate the obvious :
No matter at which level you do the rate-limiting or DOS-protection, it is going to cost 
some overhead somewhere. Generally-speaking however, if the point is to limit and discard 
at the request level, it is better to do it as early as possible.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org