tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Connection draining when upload to large
Date Fri, 11 Feb 2011 19:16:22 GMT
Mark,

On 2/11/2011 4:37 AM, Mark Thomas wrote:
> On 10/02/2011 21:32, Christopher Schultz wrote:
>> Rainer,
>>
>> On 2/10/2011 8:04 AM, Rainer Jung wrote:
>>> It seems there's still no server-side prevention against huge uploads
>>> possible. The upload is not put into memory, but the thread is only
>>> freed once the whole request body is read. Shouldn't Tomcat ignore the
>>> rest of data and close the connection in this case?
>>
>> +1
>>
>> I've always wondered why Tomcat drains the input stream instead of just
>> closing it.
>>
>> I could write a client that does a PUT or POST with no Content-Length
>> and just send 1 byte every second or so and tie up a request thread
>> indefinitely. That seems dangerous.
> 
> That is a different issue. You are describing a slowloris attack. The
> simple mitigation for that is to use the NIO connector.

Good point.

-chris


Mime
View raw message