tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark H. Wood" <mw...@IUPUI.Edu>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Fri, 19 Apr 2013 15:42:21 GMT
On Wed, Apr 17, 2013 at 01:45:22PM -0400, Christopher Schultz wrote:
> Hash: SHA256
> André,
> On 4/17/13 1:27 PM, André Warnier wrote:
> > Leo Donahue - RDSA IT wrote:
> >>> -----Original Message----- From: André Warnier
> >>> [] Subject: Re: Tomcat access log reveals
> >>> hack attempt: "HEAD /manager/html HTTP/1.0" 404
> >>> 
> >>> 
> >>> That's the idea.  That is one reason why I brought this
> >>> discussion here : to check if, if the default factory setting
> >>> was for example 1000 ms delay for each 404 answer, could anyone
> >>> think of a severe detrimental side-effect ?
> >> 
> >> What if I send 10,000 requests to your server for some file that
> >> is not there?
> > 
> > Then you will just have to wait 10,000+ seconds in total before you
> > get all your corresponding 404 responses. Which is exactly the
> > point.
> Sounds like a DOS to me. What you really want to do is detect an
> attacker (or annoying client) and block them without having to use
> your own resources. Maintaining a socket connection for an extra
> second you don't otherwise have to do is using a resource, even if the
> CPU is entirely idle, and even if you can return the
> request-processing thread to the thread-pool before you wait that 1
> second to respond.

Good advice in general, but "what you want to do" depends on what you
intend to accomplish.  If your objective is to carry on with
legitimate business without too much interference from the bots, then
the thing to do is to detect bots and stop listening to them.

I think that André's argument is that we might prefer a different
objective:  to spend (a reasonable amount of) resources to harm bot
performance so that people stop deploying the nasty things.  This is
worth pondering.  It fits nicely with the view that "there are two
classes of threats:  those properly dealt with, and those still

The problem with active resistance is, of course, that when the bad
guys stop deploying bots they'll start doing something else.  To be
effective for more than a moment, we need to surround all the enemy's
tactical options.  At that point a smart enemy will give up and go
home, while a stupid (or desperate) one will come on and be destroyed.
Either way, you win.  But this is very hard to arrange.

So we have to consider what going active will cost, and how the
enemy's behavior will change.  The reward is still there for him if he
can grasp it.  What's the next soft spot, and can we defend or harden
it?  Can we afford to win the bot battle, or is it better to just
shrug them off?

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Machines should not be friendly.  Machines should be obedient.

View raw message