tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Braun <>
Subject Re: How to limit the number of sessions per IP address (DOS attacks)
Date Thu, 04 Oct 2012 01:13:32 GMT
HI André,

You are right, there is a hole there. However, it won't be a problem for
me. Basically, I want to detect if the same IP creates so many sessions
that in the same time 200 sessions exist and belong to is (the sessions
live about 30 min each). My site doesn't have much traffic, usually there
are between 10 and 20 sessions and many of them belong to crawlers. So if
at a certain point there 200 concurrent sessions belonging to the same IP,
most likely they actually belong to the same host and not to many hosts
behind a proxy.
Thanks for the comment!

On Mon, Oct 1, 2012 at 3:45 AM, André Warnier <> wrote:

> Brian Braun wrote:
>> Hi Constantine,
>> 1- I had almost decided to program a filter. However, I have found this
>> solution:
>> of-active-sessions-created-**from-a-given-client-ip/**3679783#3679783<>
>> What do you think about it? I havent tried it yet, but as far as I can
>> tell
>> it looks good. It would help me to know how many sessions exist for a
>> certain IP. Knowing that, I could deny more sessions for that IP (even
>> though the procedure to deny is not included in this code).
>>  Just want to point out a possible hole in the logic.
> If there are a number of potential (legitimate and illegitimate) clients
> located within the same corporate LAN, and these clients all access the
> Internet through say a corporate proxy, all these request will look to your
> server as originating from the same IP address.
> So you could be denying more than you wish.
> However, their origin /port/ should be different, so you might want to
> include that in your filter, inaddition to the IP address.
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**<>
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message