tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pïd stèr <>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Tue, 16 Apr 2013 18:43:01 GMT
On 16 Apr 2013, at 19:38, "André Warnier" <> wrote:

> Pïd stèr wrote:
>> On 16 Apr 2013, at 17:58, chris derham <> wrote:
>>>> Or, another way of looking at this would be that for every 40 servers
>>>> scanned without a 404 delay, the same bot infrastructure within the same
>>>> time would only be able to scan 1 server if a 1 s 404 delay was implemented
>>>> by 50% of the webservers.
>>> This assumes that the scanning software makes sequential requests.
>>> Assuming your suggestion was rolled out (which I think is a good idea
>>> in principal), wouldn't the scanners be updated to make concurrent
>>> async requests? At which point, you only end up adding 1 second to the
>>> total original time? Which kind of defeats it.
>>> Again I'd like to state that I think you are onto a good idea, but the
>>> other important point is that some (most?) of these scans are run from
>>> botnets. These have zero cost (well for the bot farmers anyway). My
>>> point is even if the proposal worked, they don't care if their herd is
>>> held up a little longer - they are abusing other people
>>> computers/connections so it doesn't cost them anything directly.
>>> Sorry but those are my thoughts
>> I tend to agree. Effort will just be expended elsewhere, and that's
>> assuming this would have enough of an impact to be noticed.
> Say that it would be easy to implement this in Tomcat, and that we do not collectively
> find good reasons not to do so, and that it does get implemented.
> Then I pledge that my next move would be to bring this similarly onto the Apache httpd
> list (using the Tomcat precedent as an introduction of course (à la "hey guys ? those
> smart Tomcat developers have just had a great idea etc..")).
> I haven't checked the actual numbers yet, but I would imagine that between Apache httpd
> and Tomcat, we're talking of a significant proportion of the overall webservers, no ?

Only if you can get them updated in a timely fashion.
And only if the default setting is 'on'.


> Alternatively of course, still if there are no definite arguments against it, but the
> Tomcat developers are not interested, I could go to the Apache list anyway. And then
> might be the first to introduce this great feature.
> Or maybe I'll just patent it, and then sell the patent to the makers of the third
> most-popular webserver..
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message