tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Braun <>
Subject How to limit the number of sessions per IP address (DOS attacks)
Date Sun, 30 Sep 2012 05:44:10 GMT

I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL).

I'm providen a geolocation service. My users invoque a URL in my server
(something like providing the IP
address, and it responds with the geolocation info. This service must admit
a very high rate of queries, and it is doing it sucessfully now. This URL
doesn't create sessions in order to save resources, and because sessions
are not required after all. Each call is treated individually, no need to
link them in sessions. In other words, this is a RESTful service.

Besides the service URL, I have a website in the form"www." instead of "services."). This website has a
demo page where
visitors can type an IP address and see the response (values, format, and
an explanation of that). This website DOES create session, because it is
necessary given that the user logs in, uses his account, manages his
license codes, etc.

The problem is that some people are requesting the demo URL at a very high
rate, instead of requesting the special service URL that has been designed
to provide the service returning a response in XML. When they request this
demo page at a very high rate, a ton of sessions are being created and
Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats gets
slower and slower, and dies at the end. In other words, this is something
similar to a DOS attack (Denial Of Service).
I need to solve this. I need a way to limit the number of sessions that are
being created for the same IP, and in the same host under Tomcat, so if
this people start doing this, the app will stop them.
It is very import to be able to apply a solution just to the "www" website,
not to the other "services." subdomain, so the solution must not be global
to the Tomcat engine.

What would you recommend as a strategy?
Is there some kind of valve that I can use in the server.xml file to solve
Should I create a filter that does this? Is a filter the best place to
implement a solution?
Is there a way to inspect the API and get the list of current sessions? Or
do I need to build my own list at the application scope, most likely using
the events when a session is created or destroyed to update this list?
Is there a solution already built? Or do I have to program one from scratch?

Note: I want to solve it at the host or context level. Not at the Tomcat
engine level, or at the Linux level (IPTables/firewall), or adding Apache
HTTPD server before Tomcat.

Thanks in advance!

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message