tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: How does Tomcat handle a slow HTTP DoS?
Date Sat, 20 Jun 2009 16:04:20 GMT
Brett wrote:
> It is described here:

For those that aren't aware this is a well know and understood issue
that has been around for quite some time. This is just a re-hash that,
for whatever reason, is getting more attention than it probably warrants.

> Basically the attacker invokes thousands of connections, slowly sending
> header after header until the server has exhausted resources, most
> likely threads. Can tomcat use nio to process the headers then create a
> thead and execute the webapp?

Like httpd and any other web server, how a Tomcat server reacts to this
pattern of requests depends very much on configuration. You are correct
that the NIO connector should handle this more gracefully (note I
haven't tested it) as it uses non-blocking IO to read the request
headers. That said, all that really does move the goal posts.

If you make enough requests then at some point you will hit a resource
limit. With the BIO and APR connectors this is very likely to be
threads. For the NIO connector my guess (again I haven't tested it) is
that the limit would be sockets.

Whilst you could spend a lot of time tuning Tomcat (or any other web
server) to better handle this scenario there are easier ways to achieve
the same goal. Any half-decent firewall will provide connection rate
limiting which would kill this attack stone dead.

That moves the problem to how to handle a Distributed DOS attack rather
than a simple DOS and that is somewhat harder. There are solutions
available but they tend to cost $$$. On the other hand, if you site is
valuable enough to be the target of a determined DDOS then you should be
thinking about investing in some form of DDOS protection.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message