HTTP connection timout

[Harsimranjit singh Kler <si...@gmail.com>]

Using tomcat 6.I Always confused with

connectionTimeout

The number of milliseconds this *Connector* will wait, after accepting a
connection, for the request URI line to be presented. The default value is
60000 (i.e. 60 seconds).

Helpful if anyone can explain.?

Is there any connector parameter where i can set request timeout.?Rather
than at application level timeout i want tomcat to timeout after certain
period if request taking long time..

Re: HTTP connection timout

[André Warnier <aw...@ice-sa.com>]

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> André,
> 
> On 7/12/13 4:16 AM, André Warnier wrote:
>> Harsimranjit singh Kler wrote:
>>> Using tomcat 6.I Always confused with
>>>
>>> connectionTimeout
>>>
>>> The number of milliseconds this *Connector* will wait, after
>>> accepting a connection, for the request URI line to be presented.
>>> The default value is 60000 (i.e. 60 seconds).
>>>
>>> Helpful if anyone can explain.?
>>>
>>> Is there any connector parameter where i can set request
>>> timeout.?Rather than at application level timeout i want tomcat
>>> to timeout after certain period if request taking long time..
>>>
>> The Connector's are "shared" by all Hosts and all applications. So
>> the connectionTimeout is already global for all requests that come
>> in on the corresponding Connector port.
>>
>> This parameter is there specifically to fight one type of 
>> Denial-Of-Service attack, whereby some malicious client(s) create a
>> TCP connection to the server (which has the effect of reserving
>> some resources on the server for handling this connection), and
>> then just sit there without sending any HTTP request on that
>> connection. By making this delay shorter, you shorten the time
>> during which the server resources are allocated, to serve a request
>> that will never come. This has to be balanced against legitimate
>> clients which may be slow in sending the request line.  But 60
>> seconds is a really long time to wait for such legitimate client
>> requests nowadays. You can probably lower that to 5000 (= 5 s.)
>> without any ill effect on the legitimate clients.
> 
> FWIW, it's trivial to change a TCP-connect attack to a Slowloris
> attack[1], which Tomcat cannot really mitigate very well.
> 
> [1] http://en.wikipedia.org/wiki/Slowloris
> 
>> Note that as soon as the HTTP request line has been received, this 
>> timeout plays no role anymore. So it is not usable to limit the
>> time that an application requires to process and respond to the
>> request.  As far as I know, there is no standard parameter
>> available in Tomcat to do that.  Which is also rather
>> understandable, because Tomcat has no idea what kind of delay makes
>> sense for any particular application with any particular request
>> parameters.  Only you would know that, on a call-by-call base.
> 
> Try looking at "socket.soTimeout" if using the NIO implementation.
> There doesn't seem to be a reason why the blocking-connector couldn't
> also specify the read timeout, but I don't see an option for that
> connector.
> 
As per the cited Wikipedia article (thanks Chris), it looks like this may be a legitimate 
case for using a httpd front-end with the mod_reqtimeout module added-in.
https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
(against SlowLoris I mean).
I can also imagine that when using mod_jk as the Apache-Tomcat connector, there may be 
some mod_jk parameter which allows to limit the time that the back-end Tomcat can use to 
respond. Haven't checked this with the mod_jk docs though (but they are here : 
http://tomcat.apache.org/connectors-doc/reference/workers.html).
I still think that this is something better controlled at application level though, maybe 
in a servlet filter ? (messy though : start/stop a timer etc..).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HTTP connection timout

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 7/12/13 4:16 AM, André Warnier wrote:
> Harsimranjit singh Kler wrote:
>> Using tomcat 6.I Always confused with
>> 
>> connectionTimeout
>> 
>> The number of milliseconds this *Connector* will wait, after
>> accepting a connection, for the request URI line to be presented.
>> The default value is 60000 (i.e. 60 seconds).
>> 
>> Helpful if anyone can explain.?
>> 
>> Is there any connector parameter where i can set request
>> timeout.?Rather than at application level timeout i want tomcat
>> to timeout after certain period if request taking long time..
>> 
> 
> The Connector's are "shared" by all Hosts and all applications. So
> the connectionTimeout is already global for all requests that come
> in on the corresponding Connector port.
> 
> This parameter is there specifically to fight one type of 
> Denial-Of-Service attack, whereby some malicious client(s) create a
> TCP connection to the server (which has the effect of reserving
> some resources on the server for handling this connection), and
> then just sit there without sending any HTTP request on that
> connection. By making this delay shorter, you shorten the time
> during which the server resources are allocated, to serve a request
> that will never come. This has to be balanced against legitimate
> clients which may be slow in sending the request line.  But 60
> seconds is a really long time to wait for such legitimate client
> requests nowadays. You can probably lower that to 5000 (= 5 s.)
> without any ill effect on the legitimate clients.

FWIW, it's trivial to change a TCP-connect attack to a Slowloris
attack[1], which Tomcat cannot really mitigate very well.

[1] http://en.wikipedia.org/wiki/Slowloris

> Note that as soon as the HTTP request line has been received, this 
> timeout plays no role anymore. So it is not usable to limit the
> time that an application requires to process and respond to the
> request.  As far as I know, there is no standard parameter
> available in Tomcat to do that.  Which is also rather
> understandable, because Tomcat has no idea what kind of delay makes
> sense for any particular application with any particular request
> parameters.  Only you would know that, on a call-by-call base.

Try looking at "socket.soTimeout" if using the NIO implementation.
There doesn't seem to be a reason why the blocking-connector couldn't
also specify the read timeout, but I don't see an option for that
connector.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJR4FwCAAoJEBzwKT+lPKRYIaUQAMU/PbX1NC3nQKCm8up7fQcY
S/IiCj70pdpNu+aDmIufX+KEJELQOv9WXkqht1Ie4MOX898U9LDKcHohcQ9zE6gN
cU6yjlxNf051psT95zFPwhP1jweogu0rtGmgHlXxl1F2wEj30FOvm7p5FhaOyja4
OPCw/02WZpVAowBKrF2bAljCCf7JTlQGHM93KSTU31olJ3o9sEtwFv95g85ijWX5
kG7Ie8hIQ9iCmxRNuS4lTe9+ElbO+yUYTTDgHlSvWhbwJFs/ZM438p2ogaYgLw8r
Jli93i6bewEyIySrDrR/gJLtEH4/v5VqEAliQchSe38rU29gZFQK6jh0p3vBZ/tg
EF7M+uDNHJqxV7Q/6Q4B+v7zp/fHg4VQIl8t3q0cnCYhg7S448cXGnedrQ6yEUFw
tmJRgKF61c0n0hmhu/k99Cy/YruPtf8fsyfAGiF+VHMeDC9JjDgnzp0w2ctCXH1e
G0K/PKfuiMVd1i2+eoglmq3pbbvkFaiMyi6IMKXTAWC7PwCAXphaXotK2mBf2wDv
SZBnY7SjcbUgXreP55b5BBkZkqsDn48uOI6G7HB+SzWF91VIrp+7Zf1Dku3DJuGS
qCM49aFV/QeExoCYbWcDZI1ljkHwQxs/1EoCmvJbRXsCC4+vQ7TqCHTm6QrKTHgx
EPLRPARC2SmYAXH/aRPa
=jNj4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HTTP connection timout

[Harsimranjit singh Kler <si...@gmail.com>]

> The Connector's are "shared" by all Hosts and all applications.
> So the connectionTimeout is already global for all requests that come in
> on the corresponding Connector port.
>
> This parameter is there specifically to fight one type of
> Denial-Of-Service attack, whereby some malicious client(s) create a TCP
> connection to the server (which has the effect of reserving some resources
> on the server for handling this connection), and then just sit there
> without sending any HTTP request on that connection.
> By making this delay shorter, you shorten the time during which the server
> resources are allocated, to serve a request that will never come.
> This has to be balanced against legitimate clients which may be slow in
> sending the request line.  But 60 seconds is a really long time to wait for
> such legitimate client requests nowadays. You can probably lower that to
> 5000 (= 5 s.) without any ill effect on the legitimate clients.
>
> Note that as soon as the HTTP request line has been received, this timeout
> plays no role anymore. So it is not usable to limit the time that an
> application requires to process and respond to the request.  As far as I
> know, there is no standard parameter available in Tomcat to do that.  Which
> is also rather understandable, because Tomcat has no idea what kind of
> delay makes sense for any particular application with any particular
> request parameters.  Only you would know that, on a call-by-call base.
>
> Final note : if a browser makes a request to a HTTP server, and does not
> get any response for about 5 minutes, the browser will time out and show an
> error message like "the server is not responding" etc..
>
>
>
>
Thanks Make sense.

Re: HTTP connection timout

[André Warnier <aw...@ice-sa.com>]

Harsimranjit singh Kler wrote:
> Using tomcat 6.I Always confused with
> 
> connectionTimeout
> 
> The number of milliseconds this *Connector* will wait, after accepting a
> connection, for the request URI line to be presented. The default value is
> 60000 (i.e. 60 seconds).
> 
> Helpful if anyone can explain.?
> 
> Is there any connector parameter where i can set request timeout.?Rather
> than at application level timeout i want tomcat to timeout after certain
> period if request taking long time..
> 

The Connector's are "shared" by all Hosts and all applications.
So the connectionTimeout is already global for all requests that come in on the 
corresponding Connector port.

This parameter is there specifically to fight one type of Denial-Of-Service attack, 
whereby some malicious client(s) create a TCP connection to the server (which has the 
effect of reserving some resources on the server for handling this connection), and then 
just sit there without sending any HTTP request on that connection.
By making this delay shorter, you shorten the time during which the server resources are 
allocated, to serve a request that will never come.
This has to be balanced against legitimate clients which may be slow in sending the 
request line.  But 60 seconds is a really long time to wait for such legitimate client 
requests nowadays. You can probably lower that to 5000 (= 5 s.) without any ill effect on 
the legitimate clients.

Note that as soon as the HTTP request line has been received, this timeout plays no role 
anymore. So it is not usable to limit the time that an application requires to process and 
respond to the request.  As far as I know, there is no standard parameter available in 
Tomcat to do that.  Which is also rather understandable, because Tomcat has no idea what 
kind of delay makes sense for any particular application with any particular request 
parameters.  Only you would know that, on a call-by-call base.

Final note : if a browser makes a request to a HTTP server, and does not get any response 
for about 5 minutes, the browser will time out and show an error message like "the server 
is not responding" etc..




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org