You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Mats Henricson <ma...@henricson.se> on 2009/10/14 14:08:35 UTC
DDOS emergency button for Tapestry 5?
Hi!
I'm working on a Tapestry 5.1 site that frequently gets hammered
by DDOS attacks. We recently talked about it in our team, and one
idea I'm currently investigating is to have a flag in our system
that I can turn on dynamically that would require all users to be
logged in.
So, real users wouldn't see anything, but simple attacks by
anonymous users would be sent to a "Sorry, we're requiring all
users to be logged in, since we are under a DDOS attack" page.
The way I was thinking of doing this would be to have a SetupRender
function in the base class all pages inherits from, and in it do
a check if the user is logged in.
But I can only return true or false from that page, not redirect
to another page, from my limited knowledge.
So, what would you guys do? Is there a simpler solution? A filter?
Mats
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: DDOS emergency button for Tapestry 5?
Posted by Sebastian Hennebrueder <us...@laliluna.de>.
Depending on the serverity of the attack, you will need to to do this in
the network layer as higher layers can not sustain much load.
Assuming a Linux based server, this can be done with iptables.
The idea with the author cookie is nice but keep in mind that you need
to be able to login as well (without cookie). You need to disable DOS
protection for the login, which leaves a door for DOS.
Best Regards
Sebastian Hennebrueder
Andreas Andreou schrieb:
> i'd also recommend Sergey's suggestion - it also frees up
> app server resources/threads since the app server won't need to wait
> for clients to get all the bytes of each response.
>
> On Wed, Oct 14, 2009 at 11:03 PM, Sergey Didenko
> <se...@gmail.com> wrote:
>> It is more effective to use reverse proxy like nginx as a frontend.
>> And use it to cut ddos requests.
>>
>> You will need to setup it with a rule like "if the request does not
>> contain auth cookie - send error.html ". May be more complex one
>> because this can be hijacked with a fake cookie.
>>
>> Even more effective ways are to somehow identify bad requests and cut
>> them with firewall or even router.
>>
>> On Wed, Oct 14, 2009 at 3:30 PM, Mats Henricson <ma...@henricson.se> wrote:
>>>>> Hi!
>>>> Hi!
>>> Hi!
>>>
>>> You Tapestry guys are slow today. It took a whopping 8 minutes to
>>> get an answer... ;-)
>>>
>>>>> So, what would you guys do? Is there a simpler solution? A filter?
>>>> I would use a ResquestFilter or a Dispatcher checking some service (that
>>>> would hold the underDDoS field) and redirecting to a given page when
>>>> needed.
>>> Thanks a lot! I'll look at it!
>>>
>>> Mats
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>>> For additional commands, e-mail: users-help@tapestry.apache.org
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
>
>
>
--
Best Regards / Viele Grüße
Sebastian Hennebrueder
-----
Software Developer and Trainer for Hibernate / Java Persistence
http://www.laliluna.de
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: DDOS emergency button for Tapestry 5?
Posted by Andreas Andreou <an...@di.uoa.gr>.
i'd also recommend Sergey's suggestion - it also frees up
app server resources/threads since the app server won't need to wait
for clients to get all the bytes of each response.
On Wed, Oct 14, 2009 at 11:03 PM, Sergey Didenko
<se...@gmail.com> wrote:
> It is more effective to use reverse proxy like nginx as a frontend.
> And use it to cut ddos requests.
>
> You will need to setup it with a rule like "if the request does not
> contain auth cookie - send error.html ". May be more complex one
> because this can be hijacked with a fake cookie.
>
> Even more effective ways are to somehow identify bad requests and cut
> them with firewall or even router.
>
> On Wed, Oct 14, 2009 at 3:30 PM, Mats Henricson <ma...@henricson.se> wrote:
>>>> Hi!
>>>
>>> Hi!
>>
>> Hi!
>>
>> You Tapestry guys are slow today. It took a whopping 8 minutes to
>> get an answer... ;-)
>>
>>>> So, what would you guys do? Is there a simpler solution? A filter?
>>>
>>> I would use a ResquestFilter or a Dispatcher checking some service (that
>>> would hold the underDDoS field) and redirecting to a given page when
>>> needed.
>>
>> Thanks a lot! I'll look at it!
>>
>> Mats
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
Tapestry / Tacos developer
Open Source / JEE Consulting
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: DDOS emergency button for Tapestry 5?
Posted by Sergey Didenko <se...@gmail.com>.
It is more effective to use reverse proxy like nginx as a frontend.
And use it to cut ddos requests.
You will need to setup it with a rule like "if the request does not
contain auth cookie - send error.html ". May be more complex one
because this can be hijacked with a fake cookie.
Even more effective ways are to somehow identify bad requests and cut
them with firewall or even router.
On Wed, Oct 14, 2009 at 3:30 PM, Mats Henricson <ma...@henricson.se> wrote:
>>> Hi!
>>
>> Hi!
>
> Hi!
>
> You Tapestry guys are slow today. It took a whopping 8 minutes to
> get an answer... ;-)
>
>>> So, what would you guys do? Is there a simpler solution? A filter?
>>
>> I would use a ResquestFilter or a Dispatcher checking some service (that
>> would hold the underDDoS field) and redirecting to a given page when
>> needed.
>
> Thanks a lot! I'll look at it!
>
> Mats
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: DDOS emergency button for Tapestry 5?
Posted by Mats Henricson <ma...@henricson.se>.
>> Hi!
>
> Hi!
Hi!
You Tapestry guys are slow today. It took a whopping 8 minutes to
get an answer... ;-)
>> So, what would you guys do? Is there a simpler solution? A filter?
>
> I would use a ResquestFilter or a Dispatcher checking some service (that
> would hold the underDDoS field) and redirecting to a given page when
> needed.
Thanks a lot! I'll look at it!
Mats
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: DDOS emergency button for Tapestry 5?
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Wed, 14 Oct 2009 09:08:35 -0300, Mats Henricson <ma...@henricson.se>
escreveu:
> Hi!
Hi!
> So, what would you guys do? Is there a simpler solution? A filter?
I would use a ResquestFilter or a Dispatcher checking some service (that
would hold the underDDoS field) and redirecting to a given page when
needed.
--
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: DDOS emergency button for Tapestry 5?
Posted by Mats Henricson <ma...@henricson.se>.
A simple HTML probably seems like the best idea, or I could go
into an infinite loop. And even if there was no such loop, a
simple HTML would stand up best under a DDOS attack.
Mats
> Sorry, did a mistake, correct reply is:
> On what kind of page do you want to redirect? A Tapestry page or a simple
> HTML page (which I think should be better when are under a DDOS attack) ?
> You have a lot of places where you can interact, depending on the previous
> question :-)
>
> On Wed, Oct 14, 2009 at 2:15 PM, Robin Komiwes <od...@gmail.com> wrote:
>
>> On what kind of page do you want to interact? A Tapestry page or a simple
>> HTML page (which I think should be better when are under a DDOS attack) ?You
>> have a lot of places where you can interact, depending on the previous
>> question :-)
>>
>>
>> On Wed, Oct 14, 2009 at 2:08 PM, Mats Henricson <ma...@henricson.se> wrote:
>>
>>> Hi!
>>>
>>> I'm working on a Tapestry 5.1 site that frequently gets hammered
>>> by DDOS attacks. We recently talked about it in our team, and one
>>> idea I'm currently investigating is to have a flag in our system
>>> that I can turn on dynamically that would require all users to be
>>> logged in.
>>>
>>> So, real users wouldn't see anything, but simple attacks by
>>> anonymous users would be sent to a "Sorry, we're requiring all
>>> users to be logged in, since we are under a DDOS attack" page.
>>>
>>> The way I was thinking of doing this would be to have a SetupRender
>>> function in the base class all pages inherits from, and in it do
>>> a check if the user is logged in.
>>>
>>> But I can only return true or false from that page, not redirect
>>> to another page, from my limited knowledge.
>>>
>>> So, what would you guys do? Is there a simpler solution? A filter?
>>>
>>> Mats
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>>> For additional commands, e-mail: users-help@tapestry.apache.org
>>>
>>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: DDOS emergency button for Tapestry 5?
Posted by Robin Komiwes <od...@gmail.com>.
Sorry, did a mistake, correct reply is:
On what kind of page do you want to redirect? A Tapestry page or a simple
HTML page (which I think should be better when are under a DDOS attack) ?
You have a lot of places where you can interact, depending on the previous
question :-)
On Wed, Oct 14, 2009 at 2:15 PM, Robin Komiwes <od...@gmail.com> wrote:
> On what kind of page do you want to interact? A Tapestry page or a simple
> HTML page (which I think should be better when are under a DDOS attack) ?You
> have a lot of places where you can interact, depending on the previous
> question :-)
>
>
> On Wed, Oct 14, 2009 at 2:08 PM, Mats Henricson <ma...@henricson.se> wrote:
>
>> Hi!
>>
>> I'm working on a Tapestry 5.1 site that frequently gets hammered
>> by DDOS attacks. We recently talked about it in our team, and one
>> idea I'm currently investigating is to have a flag in our system
>> that I can turn on dynamically that would require all users to be
>> logged in.
>>
>> So, real users wouldn't see anything, but simple attacks by
>> anonymous users would be sent to a "Sorry, we're requiring all
>> users to be logged in, since we are under a DDOS attack" page.
>>
>> The way I was thinking of doing this would be to have a SetupRender
>> function in the base class all pages inherits from, and in it do
>> a check if the user is logged in.
>>
>> But I can only return true or false from that page, not redirect
>> to another page, from my limited knowledge.
>>
>> So, what would you guys do? Is there a simpler solution? A filter?
>>
>> Mats
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
>
Re: DDOS emergency button for Tapestry 5?
Posted by Robin Komiwes <od...@gmail.com>.
On what kind of page do you want to interact? A Tapestry page or a simple
HTML page (which I think should be better when are under a DDOS attack) ?You
have a lot of places where you can interact, depending on the previous
question :-)
On Wed, Oct 14, 2009 at 2:08 PM, Mats Henricson <ma...@henricson.se> wrote:
> Hi!
>
> I'm working on a Tapestry 5.1 site that frequently gets hammered
> by DDOS attacks. We recently talked about it in our team, and one
> idea I'm currently investigating is to have a flag in our system
> that I can turn on dynamically that would require all users to be
> logged in.
>
> So, real users wouldn't see anything, but simple attacks by
> anonymous users would be sent to a "Sorry, we're requiring all
> users to be logged in, since we are under a DDOS attack" page.
>
> The way I was thinking of doing this would be to have a SetupRender
> function in the base class all pages inherits from, and in it do
> a check if the user is logged in.
>
> But I can only return true or false from that page, not redirect
> to another page, from my limited knowledge.
>
> So, what would you guys do? Is there a simpler solution? A filter?
>
> Mats
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: DDOS emergency button for Tapestry 5?
Posted by Ulrich Stärk <ul...@spielviel.de>.
I'd do it with a RequestFilter.
Uli
Am 14.10.2009 14:08 schrieb Mats Henricson:
> Hi!
>
> I'm working on a Tapestry 5.1 site that frequently gets hammered
> by DDOS attacks. We recently talked about it in our team, and one
> idea I'm currently investigating is to have a flag in our system
> that I can turn on dynamically that would require all users to be
> logged in.
>
> So, real users wouldn't see anything, but simple attacks by
> anonymous users would be sent to a "Sorry, we're requiring all
> users to be logged in, since we are under a DDOS attack" page.
>
> The way I was thinking of doing this would be to have a SetupRender
> function in the base class all pages inherits from, and in it do
> a check if the user is logged in.
>
> But I can only return true or false from that page, not redirect
> to another page, from my limited knowledge.
>
> So, what would you guys do? Is there a simpler solution? A filter?
>
> Mats
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org