Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Tomcat Web Service Deny of service

Posted on 2011-09-12
4
Medium Priority
?
320 Views
Last Modified: 2012-05-12
Hello everyone,

I developed a web service in Java (jaxws) under tomcat 6.

I want to protect from Denial of service, what is the best solution?

thx,
Ron.
0
Comment
Question by:ron44470
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 27

Assisted Solution

by:mrcoffee365
mrcoffee365 earned 1000 total points
ID: 36527379
DOS is a network attack.  It's not usual to try to prevent DOS with a servlet engine's configuration.  You prevent DOS by monitoring unusual activity and responding -- usually by throttling access for a while.  Or turning the network connection off.

You should look into the definition of DOS and various network/router/switch solutions:
http://en.wikipedia.org/wiki/Denial-of-service_attack

If you want to restrict access to your site by IP address, then you can configure Tomcat to deny access except for certain IP addresses.  That doesn't prevent DOS, but it limits your exposure.  See this FAQ for info on IP address restriction:
http://wiki.apache.org/tomcat/FAQ/Security
This isn't practical for most sites because they are public, but if yours is a private webapp, then you could do it.
0
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 36527839
DOS also happened such that web server (or even web appl) cannot handle malformed packet exhausting their internal resources e.g. web appl is prevented such that a buffer cannot recycle for use and demand of resource is shoring rapidly. There is a previous mention of slowloris HTTP attack that need not necessarily go for high bandwidth @ http://ha.ckers.org/slowloris/ 

Such vulnerability are typically not easy to surface from the normal testing but need more thorough round of testing. OWASP released a testing guide and pg 281 covers denial of service testing. It gives some useful use case checks

@ https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

We do want to remove the low hanging fruit that easily trigger off sort of web attack but generally DoS attacks are beyond the scope of what an application developer can prevent within their own code.

There would not be 100% secure codes but minimally developer play their part to adopt secure coding and the overall architecture design adopt a security architecture principle. Check out this OWASP ref and its cheatsheets for the developer

@ https://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet

There are also security tips from Apache HTTP Server configuration settings to help mitigate problems

@ http://httpd.apache.org/docs/2.3/misc/security_tips.html

Overall, I will suggest to look at web application firewall as well for layered defences

@ http://blog.cherouvim.com/simple-dos-protection-with-mod_security/ 



 
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37175654
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

The top UI technologies you need to be aware of

An important part of the job as a front-end developer is to stay up to date and in contact with new tools, trends and workflows. That’s why you cannot miss this upcoming webinar to explore the latest trends in UI technologies!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question