JK2 Connector and denial of service attacks

[Steve Spicer <st...@dev2b.co.uk>]

Hey,

I've been having some serious problems with brute force denail of service 
attacks on httpd with tomcat 4 and jk2.  After sitting down and working out 
the desired point of redirection I found the mod_dos module which 
effectively refuses traffic for these attacks, however after installing 
this module with JK2 tomcat is still activated for some reason on these 
repeat requests - I suspected it was the order in which the modules were 
created but couldn't find an config solution.  So I merged the mod_dos 
module with the JK2 module - the result is an out-of-the-box jk2 module 
that inherits all of the benefits of the anti-DoS module.

If this is considered to be useful (and within the scope) of the JK2 
project please let me know!

Thanks,

Steve Spicer.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JK2 Connector and denial of service attacks

[Steve Spicer <st...@dev2b.co.uk>]

At 10:36 PM 29/03/2004, you wrote:
>Henri Gomez wrote:
>
>>Steve Spicer wrote:
>>
>>>On standard install it doesn't.  I'm not sure why but it still seems the 
>>>JK connector is connecting to tomcat even though the access checker hook 
>>>is returning a 403.
>>>
>>>Any ideas?
>>
>>I will make some tests on it.
>
>I make some tests and I didn't see such problems.
>
>The first request to http://mymachine/examples/ were
>forwarded to tomcat, but the rest was forbideen (403)
>by mod_dosevasive.
>
>I used test.pl provided in mod_dosevasise.
>
>Same thing with ab (ApacheBench).
>
>So what's your problem ?


Although I get 403 status it still seems to be spawning lots of HTTPD's and 
tomcat takes cpu time, surely if the 403 worked the extra HTTPD would not 
spwan and tomcat would be unaffected?

Im beginning to think I have some config issues, I'll check them all out 
and get back if theres still an issue.


>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JK2 Connector and denial of service attacks

[Henri Gomez <hg...@apache.org>]

Henri Gomez wrote:

> Steve Spicer wrote:
> 
>> On standard install it doesn't.  I'm not sure why but it still seems 
>> the JK connector is connecting to tomcat even though the access 
>> checker hook is returning a 403.
>>
>> Any ideas?
> 
> 
> I will make some tests on it.

I make some tests and I didn't see such problems.

The first request to http://mymachine/examples/ were
forwarded to tomcat, but the rest was forbideen (403)
by mod_dosevasive.

I used test.pl provided in mod_dosevasise.

Same thing with ab (ApacheBench).

So what's your problem ?

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JK2 Connector and denial of service attacks

[Henri Gomez <hg...@apache.org>]

Steve Spicer wrote:

> On standard install it doesn't.  I'm not sure why but it still seems the 
> JK connector is connecting to tomcat even though the access checker hook 
> is returning a 403.
> 
> Any ideas?

I will make some tests on it.



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JK2 Connector and denial of service attacks

[Steve Spicer <st...@dev2b.co.uk>]

On standard install it doesn't.  I'm not sure why but it still seems the JK 
connector is connecting to tomcat even though the access checker hook is 
returning a 403.

Any ideas?

At 09:51 PM 29/03/2004, you wrote:
>Steve Spicer wrote:
>>I agree to your point that DoS protection is out of the scope of the 
>>connector, I figured though that it would automatically protect tomcat 
>>against such attacks in the common httpd / tomcat / jk2 configuration, 
>>I'm not sure if I was a clutz in missing this need for protection, if so 
>>then this point is probably irrelevent, but if im not then I think its a 
>>very important issue.
>>Perhaps it would be better solved with a document included within JK2 
>>detailing the necessity of such protection and how to configure it?
>
>Of course, this document would be helpfull if there is
>special settings.
>
>BTW, I wonder if jk2 2.0.4 works or not with mod_dos ?
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JK2 Connector and denial of service attacks

[Henri Gomez <hg...@apache.org>]

Steve Spicer wrote:
> I agree to your point that DoS protection is out of the scope of the 
> connector, I figured though that it would automatically protect tomcat 
> against such attacks in the common httpd / tomcat / jk2 configuration, 
> I'm not sure if I was a clutz in missing this need for protection, if so 
> then this point is probably irrelevent, but if im not then I think its a 
> very important issue.
> 
> Perhaps it would be better solved with a document included within JK2 
> detailing the necessity of such protection and how to configure it?

Of course, this document would be helpfull if there is
special settings.

BTW, I wonder if jk2 2.0.4 works or not with mod_dos ?



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JK2 Connector and denial of service attacks

[Steve Spicer <st...@dev2b.co.uk>]

I agree to your point that DoS protection is out of the scope of the 
connector, I figured though that it would automatically protect tomcat 
against such attacks in the common httpd / tomcat / jk2 configuration, I'm 
not sure if I was a clutz in missing this need for protection, if so then 
this point is probably irrelevent, but if im not then I think its a very 
important issue.

Perhaps it would be better solved with a document included within JK2 
detailing the necessity of such protection and how to configure it?

At 05:17 PM 29/03/2004, you wrote:
>Steve Spicer wrote:
>>Hey,
>>I've been having some serious problems with brute force denail of service 
>>attacks on httpd with tomcat 4 and jk2.  After sitting down and working 
>>out the desired point of redirection I found the mod_dos module which 
>>effectively refuses traffic for these attacks, however after installing 
>>this module with JK2 tomcat is still activated for some reason on these 
>>repeat requests - I suspected it was the order in which the modules were 
>>created but couldn't find an config solution.  So I merged the mod_dos 
>>module with the JK2 module - the result is an out-of-the-box jk2 module 
>>that inherits all of the benefits of the anti-DoS module.
>>If this is considered to be useful (and within the scope) of the JK2 
>>project please let me know!
>
> From what I see in mod_dosevasive 1.8, this module only use
>access_checker hook:
>
>ap_hook_access_checker(access_checker, NULL, NULL, APR_HOOK_MIDDLE);
>
>Well I'm not sure we should implement mod_dosevasive in jk or jk2,
>since it's not their 'core' business to handle protection about DOS.
>
>But we should garantee that mod_dosevasive and jk/jk2 will works
>together.
>
>There is no real order in such case, since we're not using the same
>hooks.
>
>Gleen and Mladen what's your opinions ?
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JK2 Connector and denial of service attacks

[Henri Gomez <hg...@apache.org>]

Steve Spicer wrote:
> Hey,
> 
> I've been having some serious problems with brute force denail of 
> service attacks on httpd with tomcat 4 and jk2.  After sitting down and 
> working out the desired point of redirection I found the mod_dos module 
> which effectively refuses traffic for these attacks, however after 
> installing this module with JK2 tomcat is still activated for some 
> reason on these repeat requests - I suspected it was the order in which 
> the modules were created but couldn't find an config solution.  So I 
> merged the mod_dos module with the JK2 module - the result is an 
> out-of-the-box jk2 module that inherits all of the benefits of the 
> anti-DoS module.
> 
> If this is considered to be useful (and within the scope) of the JK2 
> project please let me know!

 From what I see in mod_dosevasive 1.8, this module only use
access_checker hook:

ap_hook_access_checker(access_checker, NULL, NULL, APR_HOOK_MIDDLE);

Well I'm not sure we should implement mod_dosevasive in jk or jk2,
since it's not their 'core' business to handle protection about DOS.

But we should garantee that mod_dosevasive and jk/jk2 will works
together.

There is no real order in such case, since we're not using the same
hooks.

Gleen and Mladen what's your opinions ?



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org