Solved

Tomcat Web Service Deny of service

Posted on 2011-09-12
4
317 Views
Last Modified: 2012-05-12
Hello everyone,

I developed a web service in Java (jaxws) under tomcat 6.

I want to protect from Denial of service, what is the best solution?

thx,
Ron.
0
Comment
Question by:ron44470
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 27

Assisted Solution

by:mrcoffee365
mrcoffee365 earned 250 total points
ID: 36527379
DOS is a network attack.  It's not usual to try to prevent DOS with a servlet engine's configuration.  You prevent DOS by monitoring unusual activity and responding -- usually by throttling access for a while.  Or turning the network connection off.

You should look into the definition of DOS and various network/router/switch solutions:
http://en.wikipedia.org/wiki/Denial-of-service_attack

If you want to restrict access to your site by IP address, then you can configure Tomcat to deny access except for certain IP addresses.  That doesn't prevent DOS, but it limits your exposure.  See this FAQ for info on IP address restriction:
http://wiki.apache.org/tomcat/FAQ/Security
This isn't practical for most sites because they are public, but if yours is a private webapp, then you could do it.
0
 
LVL 64

Accepted Solution

by:
btan earned 250 total points
ID: 36527839
DOS also happened such that web server (or even web appl) cannot handle malformed packet exhausting their internal resources e.g. web appl is prevented such that a buffer cannot recycle for use and demand of resource is shoring rapidly. There is a previous mention of slowloris HTTP attack that need not necessarily go for high bandwidth @ http://ha.ckers.org/slowloris/ 

Such vulnerability are typically not easy to surface from the normal testing but need more thorough round of testing. OWASP released a testing guide and pg 281 covers denial of service testing. It gives some useful use case checks

@ https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

We do want to remove the low hanging fruit that easily trigger off sort of web attack but generally DoS attacks are beyond the scope of what an application developer can prevent within their own code.

There would not be 100% secure codes but minimally developer play their part to adopt secure coding and the overall architecture design adopt a security architecture principle. Check out this OWASP ref and its cheatsheets for the developer

@ https://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet

There are also security tips from Apache HTTP Server configuration settings to help mitigate problems

@ http://httpd.apache.org/docs/2.3/misc/security_tips.html

Overall, I will suggest to look at web application firewall as well for layered defences

@ http://blog.cherouvim.com/simple-dos-protection-with-mod_security/ 



 
0
 
LVL 27

Expert Comment

by:Rainer Meller
ID: 37175654
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn different types of Android Layout and some basics of an Android App.
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Viewers will learn about the different types of variables in Java and how to declare them. Decide the type of variable desired: Put the keyword corresponding to the type of variable in front of the variable name: Use the equal sign to assign a v…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question