tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Braun <brianbr...@gmail.com>
Subject Re: How to limit the number of sessions per IP address (DOS attacks)
Date Mon, 01 Oct 2012 05:08:03 GMT
Hi Constantine,

1- I had almost decided to program a filter. However, I have found this
solution:
http://stackoverflow.com/questions/3679465/find-number-of-active-sessions-created-from-a-given-client-ip/3679783#3679783
What do you think about it? I havent tried it yet, but as far as I can tell
it looks good. It would help me to know how many sessions exist for a
certain IP. Knowing that, I could deny more sessions for that IP (even
though the procedure to deny is not included in this code).

2- You don't need to authenticate to acess the demo page, so in theory it
should not need a session. However, I'm handling that page in the same way
all the other pages -that require authentication- are being handled. I
mean, all of them create a session if a session doesn't exist yet. Maybe I
could improve that so the demo page would not create a session if its the
first page that the bot goes to, but what if in the future a bot goes to
any other page at a high rate? The site would crash anyway. So I prefer to
find a solution against too many sessions per IP, regardless of which pages
have been visited.

3- Thanks a lot for reminding me about the manager tag. I had almost forgot
about it. However, the attribute "maxActiveSessions" limits the total of
sessions among all the visitors, not specifically the total of sessions FOR
A CERTAIN IP, or does it?

Thanks!



On Sun, Sep 30, 2012 at 3:24 AM, Konstantin Kolinko
<knst.kolinko@gmail.com>wrote:

> 2012/9/30 Brian Braun <brianbraun@gmail.com>:
> > Hi,
> >
> > I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL).
> >
> > I'm providen a geolocation service. My users invoque a URL in my server
> > (something like http://services.acme.com/locate?ip=......) providing
> the IP
> > address, and it responds with the geolocation info. This service must
> admit
> > a very high rate of queries, and it is doing it sucessfully now. This URL
> > doesn't create sessions in order to save resources, and because sessions
> > are not required after all. Each call is treated individually, no need to
> > link them in sessions. In other words, this is a RESTful service.
> >
> > Besides the service URL, I have a website in the form
> > http://www.acme.com("www." instead of "services."). This website has a
> > demo page where
> > visitors can type an IP address and see the response (values, format, and
> > an explanation of that). This website DOES create session, because it is
> > necessary given that the user logs in, uses his account, manages his
> > license codes, etc.
> >
> > The problem is that some people are requesting the demo URL at a very
> high
> > rate, instead of requesting the special service URL that has been
> designed
> > to provide the service returning a response in XML. When they request
> this
> > demo page at a very high rate, a ton of sessions are being created and
> > Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats
> gets
> > slower and slower, and dies at the end. In other words, this is something
> > similar to a DOS attack (Denial Of Service).
> > I need to solve this. I need a way to limit the number of sessions that
> are
> > being created for the same IP, and in the same host under Tomcat, so if
> > this people start doing this, the app will stop them.
> > It is very import to be able to apply a solution just to the "www"
> website,
> > not to the other "services." subdomain, so the solution must not be
> global
> > to the Tomcat engine.
> >
> > What would you recommend as a strategy?
> > Is there some kind of valve that I can use in the server.xml file to
> solve
> > this?
> > Should I create a filter that does this? Is a filter the best place to
> > implement a solution?
> > Is there a way to inspect the API and get the list of current sessions?
> Or
> > do I need to build my own list at the application scope, most likely
> using
> > the events when a session is created or destroyed to update this list?
> > Is there a solution already built? Or do I have to program one from
> scratch?
> >
> > Note: I want to solve it at the host or context level. Not at the Tomcat
> > engine level, or at the Linux level (IPTables/firewall), or adding Apache
> > HTTPD server before Tomcat.
> >
>
> 1. You can write a Filter.
>
> 2. Your requests to your demo page are authenticated?  If yes, maybe
> you can track abuse from there (and ban abusers).  If not, do you need
> a session for those pages?
>
> 3. <Manager maxActiveSessions="..." />
> https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message