How to protect a Tomcat server/Webapp from (D)DOS attacks

[Lmhelp1 <lm...@orange.fr>]

Hello,

My question is not really "Tomcat" specific but, as my Webapp is a 
"Tomcat" Webapp, I thought I should post this question here.

Below is what I would like to ask you:
How do you usually protect your "Tomcat" servers and Webapps from (D)DOS 
((Distributed) Denial-of-service) attacks?

At first, I thought I would be able to detect a user's "abnormal" 
behavior (which is not straightforward by the way...)
and then block the user/the IP packets based on their source IP.
But then I discovered about "IP spoofing" (changing the IP source in an 
IP packet before sending it)...

So, here is another question: is there a way I could identify precisely 
an "attacker" and block it?
I've been reading things on the Internet for several hours and I 
couldn't find an answer to that question...

I've also been reading about "Deep packet inspection" (DPI) which would 
(theoretically) allow to detect "abnormal" packets but I don't really 
know what to think about it...
Is it a technique you commonly use? Which tools can be used?

Do you have a security strategy/some advices that you can share with me?

I know this is a delicate question (and I am not a potential attacker :).
Thank you and best regards,
--
Léa Massiot

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to protect a Tomcat server/Webapp from (D)DOS attacks

[Lmhelp1 <lm...@orange.fr>]

Hello Chris,

Thank you for your answer.

 > Apache ships with mod_evasive that allows you do this. I have used 
this in the past with some success. The other alternative I am aware of 
is to use mod_security.

It looks interesting.

 > I am not aware of anything that will run directly in front of tomcat 
however - does anyone else have any suggestions? I think that was some 
talk of a port of mod_security that was implemented in java (well java 
calling the mod_security c library via jni). That might be mature enough 
for you to try.

Anyone?

Thanks again and best regards,
--
Léa Massiot




On 2014-06-17 7:45 PM, chris derham wrote:
> Léa,
>
>> >Below is what I would like to ask you:
>> >How do you usually protect your "Tomcat" servers and Webapps from (D)DOS
>> >((Distributed) Denial-of-service) attacks?
> If you allow the DOS traffic to make it all the way up to the
> application layer before you detect it, then the DOS will still have
> an effect. The best way of stopping such traffic is to detect it at a
> lower level, and then block at a firewall. Typically this can be done
> by counting number of calls coming from a IP address and automatically
> blocking if they exceed a threshold.
>
> Apache ships with mod_evasive that allows you do this. I have used
> this in the past with some success. The other alternative I am aware
> of is to use mod_security. I am not aware of anything that will run
> directly in front of tomcat however - does anyone else have any
> suggestions? I think that was some talk of a port of mod_security that
> was implemented in java (well java calling the mod_security c library
> via jni). That might be mature enough for you to try.
>
> HTH
>
> Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to protect a Tomcat server/Webapp from (D)DOS attacks

[chris derham <ch...@derham.me.uk>]

Léa,

> Below is what I would like to ask you:
> How do you usually protect your "Tomcat" servers and Webapps from (D)DOS
> ((Distributed) Denial-of-service) attacks?

If you allow the DOS traffic to make it all the way up to the
application layer before you detect it, then the DOS will still have
an effect. The best way of stopping such traffic is to detect it at a
lower level, and then block at a firewall. Typically this can be done
by counting number of calls coming from a IP address and automatically
blocking if they exceed a threshold.

Apache ships with mod_evasive that allows you do this. I have used
this in the past with some success. The other alternative I am aware
of is to use mod_security. I am not aware of anything that will run
directly in front of tomcat however - does anyone else have any
suggestions? I think that was some talk of a port of mod_security that
was implemented in java (well java calling the mod_security c library
via jni). That might be mature enough for you to try.

HTH

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org