tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 17 Apr 2013 17:45:22 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 4/17/13 1:27 PM, André Warnier wrote:
> Leo Donahue - RDSA IT wrote:
>>> -----Original Message----- From: André Warnier
>>> [mailto:aw@ice-sa.com] Subject: Re: Tomcat access log reveals
>>> hack attempt: "HEAD /manager/html HTTP/1.0" 404
>>> 
>>> 
>>> That's the idea.  That is one reason why I brought this
>>> discussion here : to check if, if the default factory setting
>>> was for example 1000 ms delay for each 404 answer, could anyone
>>> think of a severe detrimental side-effect ?
>> 
>> What if I send 10,000 requests to your server for some file that
>> is not there?
> 
> Then you will just have to wait 10,000+ seconds in total before you
> get all your corresponding 404 responses. Which is exactly the
> point.

Sounds like a DOS to me. What you really want to do is detect an
attacker (or annoying client) and block them without having to use
your own resources. Maintaining a socket connection for an extra
second you don't otherwise have to do is using a resource, even if the
CPU is entirely idle, and even if you can return the
request-processing thread to the thread-pool before you wait that 1
second to respond.

What I describe above is a great case for using fail2ban (not sure if
it exists in the Windows world): you watch a log file (e.g. access
log) and lots of 404s coming from a single place and then ban them at
the firewall-level. That's much more efficient than sleeping for a
second for each 404.

I'm sure you'll lock-out most web spiders pretty quickly, though ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRbt+yAAoJEBzwKT+lPKRY1+8P/3inLMorUT8mA2jG0u9whRVm
h20ypC+zDLAxEWM75IKkQCwGZKpAvhBbrasXVOEi+aBYLO7sSBW9PRn1PQibsWlW
taILaKnBf9dF5/ZX9yxjiYx+15WAhz5i7PnaQpPaebYqPa1Bm5S+UQsOQ6jEzAM2
eWouNmYL+3qpYlw0akR12b2fZ+x0l0NLbLRYvKi2ttKNwpX86yQOZ/xjuY6XMFfK
FOhzPMZ9NvoYLvnrA31w6gj+EFHkC1anaSpap2hAGTI5JSSIAk9vQyShH9jJd/yY
9agodQBkS4Z4qthD5WKOWvhsQoEKDufaFikPme70TwGnpB4URlRIl3O5h5UeQIHc
ktPiU7+N0kMMU5GS184dyMf99N1ILjxEM6Yp/56Iiy7Hahral1THNjlAz84kfUCA
7v5X3AkxffZmRrEzCOfYn3SZ971ylJnoNMtQ2acEFO6mCAvvoNur1yz0ZCDb7T+k
g96d/5MbXpbm64P+31fgce1w2iLQg+BogGgZzodvrzyZ1NA3i7EEPffUoRnGxw3x
bmf7ylqGD5cOHBal11BozTfOPkZfZmhvy2bVsys5jv6uZePXPA+7ijzJFCeIh2zC
xQNQLc8WxaXGlT8qUVDoTYBWw6DalE435wJPDmHik5j6FNlwDINfsda6IvJMYCgu
1Yfz70ESuJ8SwjH8iJhF
=C6iu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message