tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: HTTP connection timout
Date Fri, 12 Jul 2013 19:41:55 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 7/12/13 4:16 AM, André Warnier wrote:
> Harsimranjit singh Kler wrote:
>> Using tomcat 6.I Always confused with
>> 
>> connectionTimeout
>> 
>> The number of milliseconds this *Connector* will wait, after
>> accepting a connection, for the request URI line to be presented.
>> The default value is 60000 (i.e. 60 seconds).
>> 
>> Helpful if anyone can explain.?
>> 
>> Is there any connector parameter where i can set request
>> timeout.?Rather than at application level timeout i want tomcat
>> to timeout after certain period if request taking long time..
>> 
> 
> The Connector's are "shared" by all Hosts and all applications. So
> the connectionTimeout is already global for all requests that come
> in on the corresponding Connector port.
> 
> This parameter is there specifically to fight one type of 
> Denial-Of-Service attack, whereby some malicious client(s) create a
> TCP connection to the server (which has the effect of reserving
> some resources on the server for handling this connection), and
> then just sit there without sending any HTTP request on that
> connection. By making this delay shorter, you shorten the time
> during which the server resources are allocated, to serve a request
> that will never come. This has to be balanced against legitimate
> clients which may be slow in sending the request line.  But 60
> seconds is a really long time to wait for such legitimate client
> requests nowadays. You can probably lower that to 5000 (= 5 s.)
> without any ill effect on the legitimate clients.

FWIW, it's trivial to change a TCP-connect attack to a Slowloris
attack[1], which Tomcat cannot really mitigate very well.

[1] http://en.wikipedia.org/wiki/Slowloris

> Note that as soon as the HTTP request line has been received, this 
> timeout plays no role anymore. So it is not usable to limit the
> time that an application requires to process and respond to the
> request.  As far as I know, there is no standard parameter
> available in Tomcat to do that.  Which is also rather
> understandable, because Tomcat has no idea what kind of delay makes
> sense for any particular application with any particular request
> parameters.  Only you would know that, on a call-by-call base.

Try looking at "socket.soTimeout" if using the NIO implementation.
There doesn't seem to be a reason why the blocking-connector couldn't
also specify the read timeout, but I don't see an option for that
connector.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJR4FwCAAoJEBzwKT+lPKRYIaUQAMU/PbX1NC3nQKCm8up7fQcY
S/IiCj70pdpNu+aDmIufX+KEJELQOv9WXkqht1Ie4MOX898U9LDKcHohcQ9zE6gN
cU6yjlxNf051psT95zFPwhP1jweogu0rtGmgHlXxl1F2wEj30FOvm7p5FhaOyja4
OPCw/02WZpVAowBKrF2bAljCCf7JTlQGHM93KSTU31olJ3o9sEtwFv95g85ijWX5
kG7Ie8hIQ9iCmxRNuS4lTe9+ElbO+yUYTTDgHlSvWhbwJFs/ZM438p2ogaYgLw8r
Jli93i6bewEyIySrDrR/gJLtEH4/v5VqEAliQchSe38rU29gZFQK6jh0p3vBZ/tg
EF7M+uDNHJqxV7Q/6Q4B+v7zp/fHg4VQIl8t3q0cnCYhg7S448cXGnedrQ6yEUFw
tmJRgKF61c0n0hmhu/k99Cy/YruPtf8fsyfAGiF+VHMeDC9JjDgnzp0w2ctCXH1e
G0K/PKfuiMVd1i2+eoglmq3pbbvkFaiMyi6IMKXTAWC7PwCAXphaXotK2mBf2wDv
SZBnY7SjcbUgXreP55b5BBkZkqsDn48uOI6G7HB+SzWF91VIrp+7Zf1Dku3DJuGS
qCM49aFV/QeExoCYbWcDZI1ljkHwQxs/1EoCmvJbRXsCC4+vQ7TqCHTm6QrKTHgx
EPLRPARC2SmYAXH/aRPa
=jNj4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message