tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: is tomcat 6.0.35 vulnerable to CVE-2007-6750?
Date Wed, 12 Jun 2013 18:45:24 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Brandon,

On 6/12/13 12:33 PM, Brandon McCombs wrote:
> So it seems that although there is a chance of Tomcat being 
> vulnerable [to Slowloris] it isn't a sufficiently large risk to 
> warrant being addressed and is in fact categorized as a low risk.

That depends upon your perspective. Unfortunately, Slowloris is a
fairly effective weapon under certain conditions.

The reason it's difficult to mitigate is that it is not really
possible to differentiate a Slowloris attack from a client using a
really crappy connection (mobile, etc.) from just a single sample
(i.e. one request).

mod_security and a few other httpd modules can do things like detect
multiple connections from a single host acting funny and kill them
all. Tomcat has no such built-in mitigations.

If you use the NIO connector (or APR?), you can at least limit the DOS
to exhausting your file handles, since the headers are read
asynchronously and therefore don't tie-up threads during that loooong,
slow request.

Setting a reasonable connectionTimeout (default: 60s,
default-configuration: 20s) can abort a connection somewhat early, but
a Slowloris client that sends a request line immediately and then
sends one byte per second in a chunked request can tie you up
virtually forever. You can also tweak connectionUploadTimeout.

You could write a Valve that queued pending requests including a
start-time and periodically sweep that queue for long-running requests
but you would a) find it difficult to identify true attacks versus
other factors and b) it's very messy to kill a request's socket while
the client is still sending. (Search the archives for posts about
aborting client-uploads for further, related reading).

> So that's good enough for me.

It's nice to hear someone come onto the list asking about a CVE and
ultimately say "wow, that sucks, but I guess it's okay to leave things
alone." Mostly, people come and demand patches so they can pass a
security audit ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRuMHDAAoJEBzwKT+lPKRYOQkP/iA778vfIw6x7/wbWmDkKCrV
0QvOhjnZbm+Fxqq2XIpzGnrYyoJwK9lLSr8FfVn7g7LlN0DcLaG/aNIIzxusWh/+
4AN8W6qXdDWnGxQMEhX/zZDNWqlj0CV/YQ/JM2DiU9whPuWzIENmAUiHD5t5l9Sj
fCe9AMgylgZUyUs2LpditJmXsdbWC6bP4nQf72AYysY1LXLRGsxrcLjHGe+lOXhq
9M+G/rhG1u1AVMOvZDc9kEJESC/XgyQvgejf6T/5gZge2RGxyT22D1vTUfo1yVBZ
7bQdtoSvQJbMzk2dnV+ISj+pkcU6yNUq7W8XZc4jqMXlWNaB6m5uCCbZSgFqpQz0
ee9xDl3G/7ELr8ujSSgJlpJp6jzh+5wWCqvYcQegyMjICzbY83lZxdTQTZqQhIJ5
7Scot/QrleC0ziLl9XWFX8LLFGoIQ/Gzwt2KYbmUrL4UadcyN52XRYfs3n9Qm4ll
DAb8/P5dXfI+SII6sQ51eGWg7fT3M+WAuh8MCrB8EuZaoWAXYn+SJuoBFGFfULrd
xPPaCHPdCE3FRGtt2CRxSUXlWJhWjblvy5Sjp64FNr6t8JLEa6Hv48w+EDZhyYj0
Aumn38/9CZqZyajcUP8pMEU4cuNKXyH8FV2Icqde0AF/69h9KLPmarz56PhhsgRk
DWu5psesFCU+v3AZX/dP
=Q9Dt
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message