How to limit the number of sessions per IP address (DOS attacks)

[Brian Braun <br...@gmail.com>]

Hi,

I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL).

I'm providen a geolocation service. My users invoque a URL in my server
(something like http://services.acme.com/locate?ip=......) providing the IP
address, and it responds with the geolocation info. This service must admit
a very high rate of queries, and it is doing it sucessfully now. This URL
doesn't create sessions in order to save resources, and because sessions
are not required after all. Each call is treated individually, no need to
link them in sessions. In other words, this is a RESTful service.

Besides the service URL, I have a website in the form
http://www.acme.com("www." instead of "services."). This website has a
demo page where
visitors can type an IP address and see the response (values, format, and
an explanation of that). This website DOES create session, because it is
necessary given that the user logs in, uses his account, manages his
license codes, etc.

The problem is that some people are requesting the demo URL at a very high
rate, instead of requesting the special service URL that has been designed
to provide the service returning a response in XML. When they request this
demo page at a very high rate, a ton of sessions are being created and
Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats gets
slower and slower, and dies at the end. In other words, this is something
similar to a DOS attack (Denial Of Service).
I need to solve this. I need a way to limit the number of sessions that are
being created for the same IP, and in the same host under Tomcat, so if
this people start doing this, the app will stop them.
It is very import to be able to apply a solution just to the "www" website,
not to the other "services." subdomain, so the solution must not be global
to the Tomcat engine.

What would you recommend as a strategy?
Is there some kind of valve that I can use in the server.xml file to solve
this?
Should I create a filter that does this? Is a filter the best place to
implement a solution?
Is there a way to inspect the API and get the list of current sessions? Or
do I need to build my own list at the application scope, most likely using
the events when a session is created or destroyed to update this list?
Is there a solution already built? Or do I have to program one from scratch?

Note: I want to solve it at the host or context level. Not at the Tomcat
engine level, or at the Linux level (IPTables/firewall), or adding Apache
HTTPD server before Tomcat.

Thanks in advance!

Re: How to limit the number of sessions per IP address (DOS attacks)

[Pid * <pi...@pidster.com>]

On 30 Sep 2012, at 06:44, Brian Braun <br...@gmail.com> wrote:

> Hi,
>
> I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL).
>
> I'm providen a geolocation service. My users invoque a URL in my server
> (something like http://services.acme.com/locate?ip=......) providing the IP
> address, and it responds with the geolocation info. This service must admit
> a very high rate of queries, and it is doing it sucessfully now. This URL
> doesn't create sessions in order to save resources, and because sessions
> are not required after all. Each call is treated individually, no need to
> link them in sessions. In other words, this is a RESTful service.
>
> Besides the service URL, I have a website in the form
> http://www.acme.com("www." instead of "services."). This website has a
> demo page where
> visitors can type an IP address and see the response (values, format, and
> an explanation of that). This website DOES create session, because it is
> necessary given that the user logs in, uses his account, manages his
> license codes, etc.
>
> The problem is that some people are requesting the demo URL at a very high
> rate, instead of requesting the special service URL that has been designed
> to provide the service returning a response in XML.

Why not just get the demo page to use the REST URL and decommission the old one?


p


> When they request this
> demo page at a very high rate, a ton of sessions are being created and
> Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats gets
> slower and slower, and dies at the end. In other words, this is something
> similar to a DOS attack (Denial Of Service).
> I need to solve this. I need a way to limit the number of sessions that are
> being created for the same IP, and in the same host under Tomcat, so if
> this people start doing this, the app will stop them.
> It is very import to be able to apply a solution just to the "www" website,
> not to the other "services." subdomain, so the solution must not be global
> to the Tomcat engine.
>
> What would you recommend as a strategy?
> Is there some kind of valve that I can use in the server.xml file to solve
> this?
> Should I create a filter that does this? Is a filter the best place to
> implement a solution?
> Is there a way to inspect the API and get the list of current sessions? Or
> do I need to build my own list at the application scope, most likely using
> the events when a session is created or destroyed to update this list?
> Is there a solution already built? Or do I have to program one from scratch?
>
> Note: I want to solve it at the host or context level. Not at the Tomcat
> engine level, or at the Linux level (IPTables/firewall), or adding Apache
> HTTPD server before Tomcat.
>
> Thanks in advance!

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to limit the number of sessions per IP address (DOS attacks)

[Brian Braun <br...@gmail.com>]

Hi Contantine,

I barely have about 10-20 sessions existing at the same time, considering
already abandones sessions and even sessions created because of crawlers.
So it won't be slow to use the getCount() method, at least not for now.
Thanks for your comment!



On Mon, Oct 1, 2012 at 5:42 AM, Konstantin Kolinko
<kn...@gmail.com>wrote:

> 2012/10/1 Brian Braun <br...@gmail.com>:
> > Hi Constantine,
> >
> > 1- I had almost decided to program a filter. However, I have found this
> > solution:
> >
> http://stackoverflow.com/questions/3679465/find-number-of-active-sessions-created-from-a-given-client-ip/3679783#3679783
> > What do you think about it? I havent tried it yet, but as far as I can
> tell
> > it looks good. It would help me to know how many sessions exist for a
> > certain IP. Knowing that, I could deny more sessions for that IP (even
> > though the procedure to deny is not included in this code).
> >
>
> Yes, something like that.
>
> I note though that I'd expect that getCount() method implementation to be
> slow.
>
> Whether do you notice the slowness or not depends on the actual count
> of sessions on your server.
>
> >
> > 3- Thanks a lot for reminding me about the manager tag. I had almost
> forgot
> > about it. However, the attribute "maxActiveSessions" limits the total of
> > sessions among all the visitors, not specifically the total of sessions
> FOR
> > A CERTAIN IP, or does it?
> >
>
> Yes, the total count of active sessions. I think it would be better
> than to allow Tomcat to crash. Though it might disrupt service for the
> legitimate demo clients.
>
> .
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: How to limit the number of sessions per IP address (DOS attacks)

[Konstantin Kolinko <kn...@gmail.com>]

2012/10/1 Brian Braun <br...@gmail.com>:
> Hi Constantine,
>
> 1- I had almost decided to program a filter. However, I have found this
> solution:
> http://stackoverflow.com/questions/3679465/find-number-of-active-sessions-created-from-a-given-client-ip/3679783#3679783
> What do you think about it? I havent tried it yet, but as far as I can tell
> it looks good. It would help me to know how many sessions exist for a
> certain IP. Knowing that, I could deny more sessions for that IP (even
> though the procedure to deny is not included in this code).
>

Yes, something like that.

I note though that I'd expect that getCount() method implementation to be slow.

Whether do you notice the slowness or not depends on the actual count
of sessions on your server.

>
> 3- Thanks a lot for reminding me about the manager tag. I had almost forgot
> about it. However, the attribute "maxActiveSessions" limits the total of
> sessions among all the visitors, not specifically the total of sessions FOR
> A CERTAIN IP, or does it?
>

Yes, the total count of active sessions. I think it would be better
than to allow Tomcat to crash. Though it might disrupt service for the
legitimate demo clients.

.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to limit the number of sessions per IP address (DOS attacks)

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jose,

On 10/11/12 3:36 PM, Jose María Zaragoza wrote:
> I'd like to implement something for controlling flooding on the
> same URL.
> 
> I've thought to make it using by a valve filter (  based on 
> RemoteAddressFilter ) and check remote IP address. is it the best
> way ?

I don't know if that's the best way because I don't have your full
requirement set.

> is Remote IP address reliable ? I'll be a public Tomcat 6 server

Remote IP address is not reliable IMO.

> I could add a CAPTCHA but I dont have much time

Use recaptcha: they have an API for it and everything. Just plug it in.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB4JzAACgkQ9CaO5/Lv0PBUCACfXMZ9OKPCTfSyiVSh9jFrVv5p
IoQAoIdzfUmy/gKz9JALUcISV9b0KmaN
=hs0m
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to limit the number of sessions per IP address (DOS attacks)

[Jose María Zaragoza <de...@gmail.com>]

I'd like to implement something for controlling flooding on the same URL.

I've thought to make it using by a valve filter (  based on
RemoteAddressFilter ) and check remote IP address.
is it the best way ?
is Remote IP address reliable ? I'll be a public Tomcat 6 server

I could add a CAPTCHA but I dont have much time

Thanks and regards

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to limit the number of sessions per IP address (DOS attacks)

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian,

On 10/3/12 9:13 PM, Brian Braun wrote:
> You are right, there is a hole there. However, it won't be a
> problem for me. Basically, I want to detect if the same IP creates
> so many sessions that in the same time 200 sessions exist and
> belong to is (the sessions live about 30 min each). My site doesn't
> have much traffic, usually there are between 10 and 20 sessions and
> many of them belong to crawlers. So if at a certain point there 200
> concurrent sessions belonging to the same IP, most likely they
> actually belong to the same host and not to many hosts behind a
> proxy.

You might want to detect crawlers and either change their session
timeout or avoid creating sessions at all for them.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBtxOkACgkQ9CaO5/Lv0PCv8gCgiDqYlQSdkwgmvC8deBBpAaH3
mG8An1DMTx47dwGPXvvyP5gR3SHE1EDG
=27TW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to limit the number of sessions per IP address (DOS attacks)

[Brian Braun <br...@gmail.com>]

HI André,

You are right, there is a hole there. However, it won't be a problem for
me. Basically, I want to detect if the same IP creates so many sessions
that in the same time 200 sessions exist and belong to is (the sessions
live about 30 min each). My site doesn't have much traffic, usually there
are between 10 and 20 sessions and many of them belong to crawlers. So if
at a certain point there 200 concurrent sessions belonging to the same IP,
most likely they actually belong to the same host and not to many hosts
behind a proxy.
Thanks for the comment!

On Mon, Oct 1, 2012 at 3:45 AM, André Warnier <aw...@ice-sa.com> wrote:

> Brian Braun wrote:
>
>> Hi Constantine,
>>
>> 1- I had almost decided to program a filter. However, I have found this
>> solution:
>> http://stackoverflow.com/**questions/3679465/find-number-**
>> of-active-sessions-created-**from-a-given-client-ip/**3679783#3679783<http://stackoverflow.com/questions/3679465/find-number-of-active-sessions-created-from-a-given-client-ip/3679783#3679783>
>> What do you think about it? I havent tried it yet, but as far as I can
>> tell
>> it looks good. It would help me to know how many sessions exist for a
>> certain IP. Knowing that, I could deny more sessions for that IP (even
>> though the procedure to deny is not included in this code).
>>
>>  Just want to point out a possible hole in the logic.
> If there are a number of potential (legitimate and illegitimate) clients
> located within the same corporate LAN, and these clients all access the
> Internet through say a corporate proxy, all these request will look to your
> server as originating from the same IP address.
> So you could be denying more than you wish.
>
> However, their origin /port/ should be different, so you might want to
> include that in your filter, inaddition to the IP address.
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: How to limit the number of sessions per IP address (DOS attacks)

[André Warnier <aw...@ice-sa.com>]

Brian Braun wrote:
> Hi Constantine,
> 
> 1- I had almost decided to program a filter. However, I have found this
> solution:
> http://stackoverflow.com/questions/3679465/find-number-of-active-sessions-created-from-a-given-client-ip/3679783#3679783
> What do you think about it? I havent tried it yet, but as far as I can tell
> it looks good. It would help me to know how many sessions exist for a
> certain IP. Knowing that, I could deny more sessions for that IP (even
> though the procedure to deny is not included in this code).
> 
Just want to point out a possible hole in the logic.
If there are a number of potential (legitimate and illegitimate) clients located within 
the same corporate LAN, and these clients all access the Internet through say a corporate 
proxy, all these request will look to your server as originating from the same IP address.
So you could be denying more than you wish.

However, their origin /port/ should be different, so you might want to include that in 
your filter, inaddition to the IP address.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to limit the number of sessions per IP address (DOS attacks)

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian,

On 10/1/12 1:08 AM, Brian Braun wrote:
> 1- I had almost decided to program a filter. However, I have found
> this solution: 
> http://stackoverflow.com/questions/3679465/find-number-of-active-sessions-created-from-a-given-client-ip/3679783#3679783
>
> 
What do you think about it? I havent tried it yet, but as far as I can tell
> it looks good. It would help me to know how many sessions exist for
> a certain IP. Knowing that, I could deny more sessions for that IP
> (even though the procedure to deny is not included in this code).

Just remember that some ISPs (AOL comes to mind... not sure if they
still do this) aggregate all users behind a small number of IP
addresses for a variety of reasons. That means that IP != unique identity.

You might want to build a whilelist into your filter so you can fix IP
addresses as you get problem reports.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBpq6YACgkQ9CaO5/Lv0PCnqwCfefRscbv/8RzzqChoJRbJSU3M
CdMAn3mvE9tWIr8QhqXee8Dqyf/l+twV
=Xfe5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to limit the number of sessions per IP address (DOS attacks)

[Brian Braun <br...@gmail.com>]

Hi Constantine,

1- I had almost decided to program a filter. However, I have found this
solution:
http://stackoverflow.com/questions/3679465/find-number-of-active-sessions-created-from-a-given-client-ip/3679783#3679783
What do you think about it? I havent tried it yet, but as far as I can tell
it looks good. It would help me to know how many sessions exist for a
certain IP. Knowing that, I could deny more sessions for that IP (even
though the procedure to deny is not included in this code).

2- You don't need to authenticate to acess the demo page, so in theory it
should not need a session. However, I'm handling that page in the same way
all the other pages -that require authentication- are being handled. I
mean, all of them create a session if a session doesn't exist yet. Maybe I
could improve that so the demo page would not create a session if its the
first page that the bot goes to, but what if in the future a bot goes to
any other page at a high rate? The site would crash anyway. So I prefer to
find a solution against too many sessions per IP, regardless of which pages
have been visited.

3- Thanks a lot for reminding me about the manager tag. I had almost forgot
about it. However, the attribute "maxActiveSessions" limits the total of
sessions among all the visitors, not specifically the total of sessions FOR
A CERTAIN IP, or does it?

Thanks!



On Sun, Sep 30, 2012 at 3:24 AM, Konstantin Kolinko
<kn...@gmail.com>wrote:

> 2012/9/30 Brian Braun <br...@gmail.com>:
> > Hi,
> >
> > I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL).
> >
> > I'm providen a geolocation service. My users invoque a URL in my server
> > (something like http://services.acme.com/locate?ip=......) providing
> the IP
> > address, and it responds with the geolocation info. This service must
> admit
> > a very high rate of queries, and it is doing it sucessfully now. This URL
> > doesn't create sessions in order to save resources, and because sessions
> > are not required after all. Each call is treated individually, no need to
> > link them in sessions. In other words, this is a RESTful service.
> >
> > Besides the service URL, I have a website in the form
> > http://www.acme.com("www." instead of "services."). This website has a
> > demo page where
> > visitors can type an IP address and see the response (values, format, and
> > an explanation of that). This website DOES create session, because it is
> > necessary given that the user logs in, uses his account, manages his
> > license codes, etc.
> >
> > The problem is that some people are requesting the demo URL at a very
> high
> > rate, instead of requesting the special service URL that has been
> designed
> > to provide the service returning a response in XML. When they request
> this
> > demo page at a very high rate, a ton of sessions are being created and
> > Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats
> gets
> > slower and slower, and dies at the end. In other words, this is something
> > similar to a DOS attack (Denial Of Service).
> > I need to solve this. I need a way to limit the number of sessions that
> are
> > being created for the same IP, and in the same host under Tomcat, so if
> > this people start doing this, the app will stop them.
> > It is very import to be able to apply a solution just to the "www"
> website,
> > not to the other "services." subdomain, so the solution must not be
> global
> > to the Tomcat engine.
> >
> > What would you recommend as a strategy?
> > Is there some kind of valve that I can use in the server.xml file to
> solve
> > this?
> > Should I create a filter that does this? Is a filter the best place to
> > implement a solution?
> > Is there a way to inspect the API and get the list of current sessions?
> Or
> > do I need to build my own list at the application scope, most likely
> using
> > the events when a session is created or destroyed to update this list?
> > Is there a solution already built? Or do I have to program one from
> scratch?
> >
> > Note: I want to solve it at the host or context level. Not at the Tomcat
> > engine level, or at the Linux level (IPTables/firewall), or adding Apache
> > HTTPD server before Tomcat.
> >
>
> 1. You can write a Filter.
>
> 2. Your requests to your demo page are authenticated?  If yes, maybe
> you can track abuse from there (and ban abusers).  If not, do you need
> a session for those pages?
>
> 3. <Manager maxActiveSessions="..." />
> https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: How to limit the number of sessions per IP address (DOS attacks)

[Konstantin Kolinko <kn...@gmail.com>]

2012/9/30 Brian Braun <br...@gmail.com>:
> Hi,
>
> I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL).
>
> I'm providen a geolocation service. My users invoque a URL in my server
> (something like http://services.acme.com/locate?ip=......) providing the IP
> address, and it responds with the geolocation info. This service must admit
> a very high rate of queries, and it is doing it sucessfully now. This URL
> doesn't create sessions in order to save resources, and because sessions
> are not required after all. Each call is treated individually, no need to
> link them in sessions. In other words, this is a RESTful service.
>
> Besides the service URL, I have a website in the form
> http://www.acme.com("www." instead of "services."). This website has a
> demo page where
> visitors can type an IP address and see the response (values, format, and
> an explanation of that). This website DOES create session, because it is
> necessary given that the user logs in, uses his account, manages his
> license codes, etc.
>
> The problem is that some people are requesting the demo URL at a very high
> rate, instead of requesting the special service URL that has been designed
> to provide the service returning a response in XML. When they request this
> demo page at a very high rate, a ton of sessions are being created and
> Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats gets
> slower and slower, and dies at the end. In other words, this is something
> similar to a DOS attack (Denial Of Service).
> I need to solve this. I need a way to limit the number of sessions that are
> being created for the same IP, and in the same host under Tomcat, so if
> this people start doing this, the app will stop them.
> It is very import to be able to apply a solution just to the "www" website,
> not to the other "services." subdomain, so the solution must not be global
> to the Tomcat engine.
>
> What would you recommend as a strategy?
> Is there some kind of valve that I can use in the server.xml file to solve
> this?
> Should I create a filter that does this? Is a filter the best place to
> implement a solution?
> Is there a way to inspect the API and get the list of current sessions? Or
> do I need to build my own list at the application scope, most likely using
> the events when a session is created or destroyed to update this list?
> Is there a solution already built? Or do I have to program one from scratch?
>
> Note: I want to solve it at the host or context level. Not at the Tomcat
> engine level, or at the Linux level (IPTables/firewall), or adding Apache
> HTTPD server before Tomcat.
>

1. You can write a Filter.

2. Your requests to your demo page are authenticated?  If yes, maybe
you can track abuse from there (and ban abusers).  If not, do you need
a session for those pages?

3. <Manager maxActiveSessions="..." />
https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org