tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pid *" <>
Subject Re: How to limit the number of sessions per IP address (DOS attacks)
Date Tue, 02 Oct 2012 07:34:18 GMT
On 30 Sep 2012, at 06:44, Brian Braun <> wrote:

> Hi,
> I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL).
> I'm providen a geolocation service. My users invoque a URL in my server
> (something like providing the IP
> address, and it responds with the geolocation info. This service must admit
> a very high rate of queries, and it is doing it sucessfully now. This URL
> doesn't create sessions in order to save resources, and because sessions
> are not required after all. Each call is treated individually, no need to
> link them in sessions. In other words, this is a RESTful service.
> Besides the service URL, I have a website in the form
>"www." instead of "services."). This website has a
> demo page where
> visitors can type an IP address and see the response (values, format, and
> an explanation of that). This website DOES create session, because it is
> necessary given that the user logs in, uses his account, manages his
> license codes, etc.
> The problem is that some people are requesting the demo URL at a very high
> rate, instead of requesting the special service URL that has been designed
> to provide the service returning a response in XML.

Why not just get the demo page to use the REST URL and decommission the old one?


> When they request this
> demo page at a very high rate, a ton of sessions are being created and
> Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats gets
> slower and slower, and dies at the end. In other words, this is something
> similar to a DOS attack (Denial Of Service).
> I need to solve this. I need a way to limit the number of sessions that are
> being created for the same IP, and in the same host under Tomcat, so if
> this people start doing this, the app will stop them.
> It is very import to be able to apply a solution just to the "www" website,
> not to the other "services." subdomain, so the solution must not be global
> to the Tomcat engine.
> What would you recommend as a strategy?
> Is there some kind of valve that I can use in the server.xml file to solve
> this?
> Should I create a filter that does this? Is a filter the best place to
> implement a solution?
> Is there a way to inspect the API and get the list of current sessions? Or
> do I need to build my own list at the application scope, most likely using
> the events when a session is created or destroyed to update this list?
> Is there a solution already built? Or do I have to program one from scratch?
> Note: I want to solve it at the host or context level. Not at the Tomcat
> engine level, or at the Linux level (IPTables/firewall), or adding Apache
> HTTPD server before Tomcat.
> Thanks in advance!

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message