tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: HTTP connection timout
Date Fri, 12 Jul 2013 19:41:55 GMT
Hash: SHA256


On 7/12/13 4:16 AM, André Warnier wrote:
> Harsimranjit singh Kler wrote:
>> Using tomcat 6.I Always confused with
>> connectionTimeout
>> The number of milliseconds this *Connector* will wait, after
>> accepting a connection, for the request URI line to be presented.
>> The default value is 60000 (i.e. 60 seconds).
>> Helpful if anyone can explain.?
>> Is there any connector parameter where i can set request
>> timeout.?Rather than at application level timeout i want tomcat
>> to timeout after certain period if request taking long time..
> The Connector's are "shared" by all Hosts and all applications. So
> the connectionTimeout is already global for all requests that come
> in on the corresponding Connector port.
> This parameter is there specifically to fight one type of 
> Denial-Of-Service attack, whereby some malicious client(s) create a
> TCP connection to the server (which has the effect of reserving
> some resources on the server for handling this connection), and
> then just sit there without sending any HTTP request on that
> connection. By making this delay shorter, you shorten the time
> during which the server resources are allocated, to serve a request
> that will never come. This has to be balanced against legitimate
> clients which may be slow in sending the request line.  But 60
> seconds is a really long time to wait for such legitimate client
> requests nowadays. You can probably lower that to 5000 (= 5 s.)
> without any ill effect on the legitimate clients.

FWIW, it's trivial to change a TCP-connect attack to a Slowloris
attack[1], which Tomcat cannot really mitigate very well.


> Note that as soon as the HTTP request line has been received, this 
> timeout plays no role anymore. So it is not usable to limit the
> time that an application requires to process and respond to the
> request.  As far as I know, there is no standard parameter
> available in Tomcat to do that.  Which is also rather
> understandable, because Tomcat has no idea what kind of delay makes
> sense for any particular application with any particular request
> parameters.  Only you would know that, on a call-by-call base.

Try looking at "socket.soTimeout" if using the NIO implementation.
There doesn't seem to be a reason why the blocking-connector couldn't
also specify the read timeout, but I don't see an option for that

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message