Denial of Service (DoS) Prevention By Request Timeout in Sun Java System Web Server 7.0

Denial of Service (DoS) Prevention By Request Timeout in Sun Java System Web Server 7.0


Check out the new improvements we made in Sun Java System Web Server 7.0. In this blog I will talk about Denial Of Service (DoS) Prevention "Request Timeout" enhancements.

We have introduced two more timeouts in the server.xml's <http> element in addition to the existing <io-timeout>. They are <request-header-timeout> and <request-body-timeout>.

If you are a Web Server Administrator and you want to limit users to be sending all request headers in the first 10 minutes of the connection and request body in the next one hour, you can set these two parameters in server.xml like

...

<http> ...
    <request-header-timeout>600</request-header-timeout>
    <request-body-timeout>3600</request-body-timeout>
</http>
...

All other connections which last longer will be disconnected by the server automatically.

Other blogs on this topic are :

Comments:

How can one limit the overall age of any request? In my perfdump I'm seeing:
22522    response  12.148.202.85  1086  pogues-1  GET     /                       
22522    response  80.194.194.34  393   pogues-1  GET     /                       
Yet in my server.xml I have:
  <http>
    <strict-request-headers>false</strict-request-headers>
        <io-timeout>5</io-timeout>
    <request-body-timeout>300</request-body-timeout>
  </http>
In hind-sight it's obvious that these only control timers on the incoming data. How can I control the overall length of the request including response time?

Posted by DzM on March 13, 2007 at 04:16 PM IST #

Hmm. And now I see:
22522    response  82.194.62.22   995  pogues-1  POST    /forum/posting.php                      responder-fastcgi
So it seems my understanding of what these timers do is wrong. How can I have a io-timeout of 5 seconds and a request-body-timeout of 300 seconds, yet have perfdump show me a POST request 995 seconds old? I suppose this indicates that we've already received all the POST data and is now trying to create/send a response. Any idea how I can limit this stuff?

Posted by DzM on March 13, 2007 at 04:33 PM IST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today