X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • March 6, 2007

Denial of Service (DoS) Prevention By Request Timeout in Sun Java System Web Server 7.0

Denial of Service (DoS) Prevention By Request Timeout in Sun Java System Web Server 7.0



Check out the new improvements we made in Sun Java System Web Server 7.0. In this blog I will talk about Denial Of Service (DoS) Prevention "Request Timeout" enhancements.


We have introduced two more timeouts in the server.xml's <http> element in addition to the existing <io-timeout>. They are <request-header-timeout>
and <request-body-timeout>.


If you are a Web Server Administrator and you want to limit users to be sending all request headers in the first 10 minutes of the connection and request body in the next one hour, you can set these two parameters in server.xml like



...

<http> ...

   
<request-header-timeout>600</request-header-timeout>

   
<request-body-timeout>3600</request-body-timeout>

</http>

...



All other connections which last longer will be disconnected by the
server automatically.

Other blogs on this topic are :

Join the discussion

Comments ( 2 )
  • DzM Tuesday, March 13, 2007
    How can one limit the overall age of any request?
    In my perfdump I'm seeing:
    22522    response  12.148.202.85  1086  pogues-1  GET     /                       
    22522 response 80.194.194.34 393 pogues-1 GET /

    Yet in my server.xml I have:
      <http>
    <strict-request-headers>false</strict-request-headers>
    <io-timeout>5</io-timeout>
    <request-body-timeout>300</request-body-timeout>
    </http>

    In hind-sight it's obvious that these only control timers on the incoming data. How can I control the overall length of the request including response time?
  • DzM Tuesday, March 13, 2007
    Hmm. And now I see:
    22522    response  82.194.62.22   995  pogues-1  POST    /forum/posting.php                      responder-fastcgi

    So it seems my understanding of what these timers do is wrong. How can I have a io-timeout of 5 seconds and a request-body-timeout of 300 seconds, yet have perfdump show me a POST request 995 seconds old? I suppose this indicates that we've already received all the POST data and is now trying to create/send a response. Any idea how I can limit this stuff?
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.