You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Fischer, Ilona" <Fi...@immobilienscout24.de> on 2003/07/28 18:17:55 UTC
AW: AW: [5.0] Connector default configuration + connection timeou
t
IMHO it's the definition of a proxy to send/recive requests instead of
client... that means only the proxy was talking with the webserver -> in the
HTTP-header was only the IP of the Proxy
Regards :o)
Ilona
> -----Ursprüngliche Nachricht-----
> Von: Henri Gomez [mailto:hgomez@apache.org]
> Gesendet: Montag, 28. Juli 2003 18:01
> An: Tomcat Developers List
> Betreff: Re: AW: [5.0] Connector default configuration + connection
> timeout
>
>
> Fischer, Ilona a écrit :
>
> >>Protection against DOS attack should also have some glues like :
> >>
> >>- Max clients from the same IP (ie DOS attack from the same host).
> >
> > How would you distinguish between users coming from big proxy and a
> > DOS-attack? Our access.logs shows that approx. 30% acesses
> comes from
> > t-online (a big ISP in germany) and AOL....
>
> That's right (T-ONLINE and AOL) are big hackers ;)
>
> More seriously, in such case there must be the original IP somewhere
> in the HTTP header isn't it ?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: AW: AW: [5.0] Connector default configuration + connection timeou
t
Posted by Stefanos Karasavvidis <st...@msc.gr>.
Section 14.45 of HTTP 1.1 states:
The Via general-header field MUST be used by gateways and proxies to
indicate the intermediate protocols and recipients between the user
agent and the server on requests, and between the origin server and
the client on responses......
This means that if a proxy is involved there will be a Via header.
Moreover there is the X-Forwarded-For header (NOT part of the standard)
used for example by squid proxy, which indicates the original host
issuing the request.
Of course nothing prohibits a DoS host to insert these headers to fake a
proxy!!
Stefanos
Fischer, Ilona wrote:
> IMHO it's the definition of a proxy to send/recive requests instead of
> client... that means only the proxy was talking with the webserver -> in the
> HTTP-header was only the IP of the Proxy
>
> Regards :o)
> Ilona
>
>
>
>>-----Ursprüngliche Nachricht-----
>>Von: Henri Gomez [mailto:hgomez@apache.org]
>>Gesendet: Montag, 28. Juli 2003 18:01
>>An: Tomcat Developers List
>>Betreff: Re: AW: [5.0] Connector default configuration + connection
>>timeout
>>
>>
>>Fischer, Ilona a écrit :
>>
>>
>>>>Protection against DOS attack should also have some glues like :
>>>>
>>>>- Max clients from the same IP (ie DOS attack from the same host).
>>>
>>>How would you distinguish between users coming from big proxy and a
>>>DOS-attack? Our access.logs shows that approx. 30% acesses
>>
>>comes from
>>
>>>t-online (a big ISP in germany) and AOL....
>>
>>That's right (T-ONLINE and AOL) are big hackers ;)
>>
>>More seriously, in such case there must be the original IP somewhere
>>in the HTTP header isn't it ?
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
--
======================================================================
Stefanos Karasavvidis
Electronic & Computer Engineer
e-mail : stefos@msc.gr
Multimedia Systems Center S.A.
Kissamou 178
73100 Chania - Crete - Hellas
http://www.msc.gr
Tel : +30 2821 0 88447
Fax : +30 2821 0 88427
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: AW: AW: [5.0] Connector default configuration + connection timeou
t
Posted by Henri Gomez <hg...@users.sourceforge.net>.
Bill Barker a écrit :
> ----- Original Message -----
> From: "Henri Gomez" <hg...@apache.org>
> To: "Tomcat Developers List" <to...@jakarta.apache.org>
> Sent: Tuesday, July 29, 2003 12:46 AM
> Subject: Re: AW: AW: [5.0] Connector default configuration + connection
> timeou t
>
>
>
>>Fischer, Ilona a écrit :
>>
>>>IMHO it's the definition of a proxy to send/recive requests instead of
>>>client... that means only the proxy was talking with the webserver -> in
>
> the
>
>>>HTTP-header was only the IP of the Proxy
>>>
>>
>>And what about the Via: header ?
>>
>
>
> It's unreliable at best: I routinely configure mod_proxy to suppress it.
> And, in any case, it only tells you the name of the Proxy (which you already
> know ;-).
Ok.
Preventing DOS attack is not an easy task, that's why I prefer using
Tomcat behind a native web-server like Apache 2.
BTW, strategy could be invented but we may allways have one step behind
attackers.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: AW: AW: [5.0] Connector default configuration + connection timeou t
Posted by Bill Barker <wb...@wilshire.com>.
----- Original Message -----
From: "Henri Gomez" <hg...@apache.org>
To: "Tomcat Developers List" <to...@jakarta.apache.org>
Sent: Tuesday, July 29, 2003 12:46 AM
Subject: Re: AW: AW: [5.0] Connector default configuration + connection
timeou t
> Fischer, Ilona a écrit :
> > IMHO it's the definition of a proxy to send/recive requests instead of
> > client... that means only the proxy was talking with the webserver -> in
the
> > HTTP-header was only the IP of the Proxy
> >
>
> And what about the Via: header ?
>
It's unreliable at best: I routinely configure mod_proxy to suppress it.
And, in any case, it only tells you the name of the Proxy (which you already
know ;-).
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
Re: AW: AW: [5.0] Connector default configuration + connection timeou
t
Posted by Henri Gomez <hg...@apache.org>.
Fischer, Ilona a écrit :
> IMHO it's the definition of a proxy to send/recive requests instead of
> client... that means only the proxy was talking with the webserver -> in the
> HTTP-header was only the IP of the Proxy
>
And what about the Via: header ?
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org