You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Petr Nemecek <pn...@cmail.cz> on 2015/03/14 20:32:46 UTC
Slow http denial of service
Hello,
our webapp, that is deployed in Tomcat 8.0.18, was tested positive as
vulnerable to the slow http denial of service: "By using a single computer,
it is possible to establish thousands of simultaneous connections and keep
them open for a long time. During the attack, the server was rendered
unavailable."
Any idea what to do with this?
Many thanks,
Petr Nemecek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Slow http denial of service
Posted by Mark Eggers <it...@yahoo.com.INVALID>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 3/14/2015 12:32 PM, Petr Nemecek wrote:
> Hello,
>
> our webapp, that is deployed in Tomcat 8.0.18, was tested positive
> as vulnerable to the slow http denial of service: "By using a
> single computer, it is possible to establish thousands of
> simultaneous connections and keep them open for a long time. During
> the attack, the server was rendered unavailable."
>
> Any idea what to do with this?
>
> Many thanks, Petr Nemecek
Google the following:
tomcat 7 slow loris mitigation
There are several discussions on how to mitigate this.
Bugzilla entry for Tomcat 6.0.36:
https://bz.apache.org/bugzilla/show_bug.cgi?id=54263
Redhat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6750
It looks like suitably a suitably configured firewall or
mod_reqtimeout
http://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
are the available solutions.
. . . just my two cents
/mde/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJVBJleAAoJEEFGbsYNeTwtODYH/14GPkOUZ8Kt2up6CbhQVQQW
nMgZ5dqh9XtsJ/ov+MNuvrf7DQqK0T5Bb/X6Eh1f1yH62efXREnVDumEmjcdFDwu
vwucjnRobvRoUPb74/neBm2cMgVX7LwKIQVCHO0oRilO5gn8fPAGgeGTP8Ci7YQS
lJcaecWwEBlpPWzTS1SGDpicsYdq1zdg6SbhWM+35Qt4BAoVMYX3cE2y0KmusS9l
dFN/V2z6TA5tSv4/mR0Ho9I0t6AcrraVUHnWJbZ6GL7KcLfQeFROQHu0+9SBW1aI
l2V1/gQj1my571PaZNGdst/0855A7eRJ4nd/qOo1J4DHWn1i8ockKlAUTULyBi4=
=Yyqi
-----END PGP SIGNATURE-----
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Slow http denial of service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert,
On 3/16/15 8:41 AM, Robert Klemme wrote:
> On Sun, Mar 15, 2015 at 10:07 AM, Aurélien Terrestris
> <aterrestris@gmail.com
>> wrote:
>
>> I agree with the NIO connector which gives good results to this
>> problem. Also, on Linux you can configure iptables firewall to
>> limit the number of connections from one IP (
>>
>> http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable
>>
>>
)
>>
>
> What I find difficult about this approach is that because of NAT
> the number of individual machines (and hence connections that are
> reasonable) behind a single IP can vary vastly. What value will you
> pick to not discriminate large organizations?
Or anyone using a service like AOL which proxies everyone through a
small number of IP addresses.
If you are worried about a DOS but not a DDOS, you aren't being honest
with yourself.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVBs/xAAoJEBzwKT+lPKRYwjMQAI9nL3jhu1C+3yD4b5mmGpmQ
1+YXu71FHpC31M4/a5mQNkoa+n1UFJ9BUJx46TuamFBfoh34Y2IIzQCgrK6MDEjv
PhF+/67+xTEeGhjGdN941aLvuJrM4EaMsc1/SPOpct9XEadf4RehdNCj7C4b1CIA
BrH5ZvUYJNInaiZSl6ypIHkZ2JaeebdNvtuH5OMzQPPjuM30iCuNZPr++mzLjIDu
7H820ykyB34zUUbhAfZUaogoM2TAqevDUwCNp6aPbZLm4wQjilgLweGM+dJmVFMq
onuNPTC11sVIYc3SyIZljPWeuz7I9yXStobFgLLFzWKKiaw8rj/Kd5SewCYe1DWJ
IQfe0ZOOCqixU/uLVMUq5D2ch0U3ujDxrVnYds5ojXP57ZvmBW1PhJjzQag+Z2L/
rK4p/IZzNMjli8MeX4NkzV4iu/eGxfaKE2EZ+agAl9Hw9BLY4K6VvZSLIimk4PYE
wy3VBQy97KwaVP1FvTHHCSWABpkKYZornDBobwn4kmSXJwVux0r2atCiFRNE4ry6
Fsa+XnHtKj3ui1X6R4QkiUgXXJaHQhLLeBjKGCZB5HNfNMTOrce/agWC1Q6u1Fv/
Gaxv1ls1nB9KiW7XN4H4NQ2fa+2z6pv8RMOgnnlCAlgd70Wq9a+fGKI2Bwdakaed
Eax7olF7+ucQw8YmkXCV
=OJJX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Slow http denial of service
Posted by Aurélien Terrestris <at...@gmail.com>.
Christopher,
there are several questions in the same thread.. The first one about
SlowLoris was answered a long ago (
http://tomcat.10.x6.nabble.com/is-tomcat-6-0-35-vulnerable-to-CVE-2007-6750-td5000085.html
). On the contrary, for fast connections opening (DOS), we can
configure the firewall in order to temporarily ban an IP if it has
reached something like 20 connections/second.
The problem becomes more difficult if we're facing a DDOS : if the
trafic is good old HTTP then we must challenge our clients (catpcha,
javascript) then we know who we have to ban (F5 products can do that,
or use Cloudflare/AKAMAI). If it's not HTTP (IP spoofing, DNS
recursive requests,..) we need to configure the router or the entrance
firewall. I believe there is no cheap solution to fight against a
300G/s flood.
>What about non-users?
Blocked by router/firewall if they were sending something really
stupid so I don't have any idea about how many of them. Google bots
and others, even not 1% of trafic. We had several crash because of too
much trafic when thousands of people were connecting at the same time
to get a special news from the company. This doesn't happen anymore
after buying servers 20 times more powerfull, but I'm not working
there anymore.
2015-03-16 21:09 GMT+01:00 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Aurélien,
>
> On 3/16/15 9:16 AM, Aurélien Terrestris wrote:
>> As browsers (at least the ones I know) open 2 connections to
>> browse websites
>
> That number has been bigger than 2 for quite a while, now:
>
> http://stackoverflow.com/questions/985431/max-parallel-http-connections-in-a-browser
>
> We aren't talking about nice clients, here, though, but clients that
> are intentionally trying to bring-down a site. The maximum number of
> connections a legit web browser will open to a single host/IP is not
> relevant.
>
>> we could have a look on the hourly stats and estimate this (under
>> 100 without problem). I never met such problem anyway, the highest
>> traffic being 120 000 different users/day.
>
> What about non-users?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVBzhjAAoJEBzwKT+lPKRYyiMQAMoied29A55351fkrU5HHdkR
> nILbSHhxH0UGiCAw+Fcp8SNdP7lD5mLiRH8+Mn9Vlp7TkK8AfQIRPWTwj605RRME
> c9e0VWFnNmMvDbKL+DhyMHKTK/c7LgVABh9l7v5JbiSUBtnyQNeQDBtep4Q5oxuz
> +P6t7PbDWILLntVHdcUxNMJQFiQkI1VRQ3dYPGu2kRxXTOk7OpHSqZkNhq2XCpH5
> /isZlTJtU02l9GqFb3cNFWc2vM94Lp2ATVfUs6vZdYnUQ1oSrUdsWAy76CKdNjII
> HY5KUiRmyNtxY2JDHlqbcjA7rmOOTcb+68T1qy4ZSmQmDLaBuBR0ajWHOgJ4Btp8
> bUgk+4yB32Af8IZ3sr4Asa8aMf1LTNx+1x6TVO0en5VD4WwFbGZ5EdZmW/SZdvWY
> 0Bu/RNgaydK/Jac5A4RKlEFfP4VJz/r0ST4Cxqq3t1UC0OHS46SFDg0gwXAnEuSt
> Qsk71YeuWJG8zolL05pXqSehr836H1s7FjG2rych1mwa53T+Agx8+5Cp/zd3fv59
> zJ2ivJ7Cr2JAm4CInx7ic0cTuqmjOneRJIKb9WYSzHMoGLw+IVyx3v3Ykru/XlM9
> AOfi5zENQ2tVDKCUBgNSdYd/amS6VNliFzbhkw0/cDYvw7HffxNw6Xd43wg388wG
> VrSu31Roqi3bRVr15Mwl
> =/YWE
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Slow http denial of service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aurélien,
On 3/16/15 9:16 AM, Aurélien Terrestris wrote:
> As browsers (at least the ones I know) open 2 connections to
> browse websites
That number has been bigger than 2 for quite a while, now:
http://stackoverflow.com/questions/985431/max-parallel-http-connections-in-a-browser
We aren't talking about nice clients, here, though, but clients that
are intentionally trying to bring-down a site. The maximum number of
connections a legit web browser will open to a single host/IP is not
relevant.
> we could have a look on the hourly stats and estimate this (under
> 100 without problem). I never met such problem anyway, the highest
> traffic being 120 000 different users/day.
What about non-users?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVBzhjAAoJEBzwKT+lPKRYyiMQAMoied29A55351fkrU5HHdkR
nILbSHhxH0UGiCAw+Fcp8SNdP7lD5mLiRH8+Mn9Vlp7TkK8AfQIRPWTwj605RRME
c9e0VWFnNmMvDbKL+DhyMHKTK/c7LgVABh9l7v5JbiSUBtnyQNeQDBtep4Q5oxuz
+P6t7PbDWILLntVHdcUxNMJQFiQkI1VRQ3dYPGu2kRxXTOk7OpHSqZkNhq2XCpH5
/isZlTJtU02l9GqFb3cNFWc2vM94Lp2ATVfUs6vZdYnUQ1oSrUdsWAy76CKdNjII
HY5KUiRmyNtxY2JDHlqbcjA7rmOOTcb+68T1qy4ZSmQmDLaBuBR0ajWHOgJ4Btp8
bUgk+4yB32Af8IZ3sr4Asa8aMf1LTNx+1x6TVO0en5VD4WwFbGZ5EdZmW/SZdvWY
0Bu/RNgaydK/Jac5A4RKlEFfP4VJz/r0ST4Cxqq3t1UC0OHS46SFDg0gwXAnEuSt
Qsk71YeuWJG8zolL05pXqSehr836H1s7FjG2rych1mwa53T+Agx8+5Cp/zd3fv59
zJ2ivJ7Cr2JAm4CInx7ic0cTuqmjOneRJIKb9WYSzHMoGLw+IVyx3v3Ykru/XlM9
AOfi5zENQ2tVDKCUBgNSdYd/amS6VNliFzbhkw0/cDYvw7HffxNw6Xd43wg388wG
VrSu31Roqi3bRVr15Mwl
=/YWE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Slow http denial of service
Posted by Aurélien Terrestris <at...@gmail.com>.
As browsers (at least the ones I know) open 2 connections to browse
websites, we could have a look on the hourly stats and estimate this
(under 100 without problem). I never met such problem anyway, the
highest trafic being 120 000 different users/day.
If you really have to face DDOS as said by Christopher, you would have
to use something like cloudflare. For very big sites, AKAMAI,..
2015-03-16 13:50 GMT+01:00 David kerber <dc...@verizon.net>:
> On 3/16/2015 8:41 AM, Robert Klemme wrote:
>>
>> On Sun, Mar 15, 2015 at 10:07 AM, Aurélien Terrestris
>> <aterrestris@gmail.com
>>>
>>> wrote:
>>
>>
>>> I agree with the NIO connector which gives good results to this
>>> problem. Also, on Linux you can configure iptables firewall to limit
>>> the number of connections from one IP (
>>>
>>>
>>> http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable
>>> )
>>>
>>
>> What I find difficult about this approach is that because of NAT the
>> number
>> of individual machines (and hence connections that are reasonable) behind
>> a
>> single IP can vary vastly. What value will you pick to not discriminate
>> large organizations?
>
>
> That is a reasonable question, but the owner of a web site should have some
> idea of who their clients are, and have a feel for a reasonable number to
> allow. Obviously a site with a large clientele will be able to handle a
> larger number of connections, whether they're legit or not.
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Slow http denial of service
Posted by David kerber <dc...@verizon.net>.
On 3/16/2015 8:41 AM, Robert Klemme wrote:
> On Sun, Mar 15, 2015 at 10:07 AM, Aurélien Terrestris <aterrestris@gmail.com
>> wrote:
>
>> I agree with the NIO connector which gives good results to this
>> problem. Also, on Linux you can configure iptables firewall to limit
>> the number of connections from one IP (
>>
>> http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable
>> )
>>
>
> What I find difficult about this approach is that because of NAT the number
> of individual machines (and hence connections that are reasonable) behind a
> single IP can vary vastly. What value will you pick to not discriminate
> large organizations?
That is a reasonable question, but the owner of a web site should have
some idea of who their clients are, and have a feel for a reasonable
number to allow. Obviously a site with a large clientele will be able
to handle a larger number of connections, whether they're legit or not.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Slow http denial of service
Posted by Robert Klemme <sh...@googlemail.com>.
On Sun, Mar 15, 2015 at 10:07 AM, Aurélien Terrestris <aterrestris@gmail.com
> wrote:
> I agree with the NIO connector which gives good results to this
> problem. Also, on Linux you can configure iptables firewall to limit
> the number of connections from one IP (
>
> http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable
> )
>
What I find difficult about this approach is that because of NAT the number
of individual machines (and hence connections that are reasonable) behind a
single IP can vary vastly. What value will you pick to not discriminate
large organizations?
Kind regards
robert
Re: Slow http denial of service
Posted by Aurélien Terrestris <at...@gmail.com>.
I agree with the NIO connector which gives good results to this
problem. Also, on Linux you can configure iptables firewall to limit
the number of connections from one IP (
http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable
)
I would not rely on Apache for this, since Apache has also its own
similar problems on some versions (with proxypass or mod-jk..)
2015-03-15 0:15 GMT+01:00 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Petr,
>
> On 3/14/15 3:32 PM, Petr Nemecek wrote:
>> Hello,
>>
>> our webapp, that is deployed in Tomcat 8.0.18, was tested positive
>> as vulnerable to the slow http denial of service: "By using a
>> single computer, it is possible to establish thousands of
>> simultaneous connections and keep them open for a long time. During
>> the attack, the server was rendered unavailable."
>>
>> Any idea what to do with this?
>
> Using the NIO connector is the best you can do, here. Or, front Tomcat
> with a web server that has its own mitigation techniques.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVBMEoAAoJEBzwKT+lPKRYKMwP/iKY9W1YkBQ+qgdYWdcjhD55
> q7T8ssN2ChzU2xkVgiHh2ISZSchoOF3KcPNOnYomRn6/KPYaiSb/PWUmJ4WL0n/i
> csSizG6PKV0fj3ZZk6j19QHKvdDNC7ntP6TC2XsK3bxdCG0LGMeZCKJEEihoKO5L
> AbgWc9n0DVlKR5s9rMgGzNwjfL9aXva5ZWUY6O0bPb4uay0CcdFrouJLOOHMqjG9
> U8aVZ6Zpf7zYc8C0CYaKp6J9yRxM+RkHFszBuVuRKXB1FWQpFssLK3FugTP7+9Cp
> blshbfpmaw6XSLlQcIMpO4uOgdCOg/KX4Dj5nNaXyR64qa4TleHcLy4b21Usaqwb
> yVO0tnDlZA9qRGNsN3Djt9ABm5GIiJNsMOUsA7cjfGyaLr+NGKq8sLzXff8Nre4F
> TKMIAgtpUp3RhMM6dRtJ/sFpLdtggNWWA0+zYlMDp20f5N4e3qtUAq2orIK3A7lM
> FxcUMgajLZKlDoN4NiO26n97MWP0SzkQYj9/IkI5R2Mi9ijsZ+kSSj54pDFnV81C
> OEzh7Xxb+8UrPLxLPZBttu1uT7hMZUvJwHJZM/nOLOr+J+vemrbFIg9UGFS1qcIR
> pgWQEvANR1TFku6HhcgktQugfI4bEYzYxUsRvmX+CwlouzErIxkDq3S1qCFvMCwJ
> jBy234U/r7X4a+P1p8HW
> =v4ph
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Slow http denial of service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Petr,
On 3/14/15 3:32 PM, Petr Nemecek wrote:
> Hello,
>
> our webapp, that is deployed in Tomcat 8.0.18, was tested positive
> as vulnerable to the slow http denial of service: "By using a
> single computer, it is possible to establish thousands of
> simultaneous connections and keep them open for a long time. During
> the attack, the server was rendered unavailable."
>
> Any idea what to do with this?
Using the NIO connector is the best you can do, here. Or, front Tomcat
with a web server that has its own mitigation techniques.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVBMEoAAoJEBzwKT+lPKRYKMwP/iKY9W1YkBQ+qgdYWdcjhD55
q7T8ssN2ChzU2xkVgiHh2ISZSchoOF3KcPNOnYomRn6/KPYaiSb/PWUmJ4WL0n/i
csSizG6PKV0fj3ZZk6j19QHKvdDNC7ntP6TC2XsK3bxdCG0LGMeZCKJEEihoKO5L
AbgWc9n0DVlKR5s9rMgGzNwjfL9aXva5ZWUY6O0bPb4uay0CcdFrouJLOOHMqjG9
U8aVZ6Zpf7zYc8C0CYaKp6J9yRxM+RkHFszBuVuRKXB1FWQpFssLK3FugTP7+9Cp
blshbfpmaw6XSLlQcIMpO4uOgdCOg/KX4Dj5nNaXyR64qa4TleHcLy4b21Usaqwb
yVO0tnDlZA9qRGNsN3Djt9ABm5GIiJNsMOUsA7cjfGyaLr+NGKq8sLzXff8Nre4F
TKMIAgtpUp3RhMM6dRtJ/sFpLdtggNWWA0+zYlMDp20f5N4e3qtUAq2orIK3A7lM
FxcUMgajLZKlDoN4NiO26n97MWP0SzkQYj9/IkI5R2Mi9ijsZ+kSSj54pDFnV81C
OEzh7Xxb+8UrPLxLPZBttu1uT7hMZUvJwHJZM/nOLOr+J+vemrbFIg9UGFS1qcIR
pgWQEvANR1TFku6HhcgktQugfI4bEYzYxUsRvmX+CwlouzErIxkDq3S1qCFvMCwJ
jBy234U/r7X4a+P1p8HW
=v4ph
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org