Solved

Tomcat Web Service Deny of service

Posted on 2011-09-12
4
312 Views
Last Modified: 2012-05-12
Hello everyone,

I developed a web service in Java (jaxws) under tomcat 6.

I want to protect from Denial of service, what is the best solution?

thx,
Ron.
0
Comment
Question by:ron44470
4 Comments
 
LVL 27

Assisted Solution

by:mrcoffee365
mrcoffee365 earned 250 total points
ID: 36527379
DOS is a network attack.  It's not usual to try to prevent DOS with a servlet engine's configuration.  You prevent DOS by monitoring unusual activity and responding -- usually by throttling access for a while.  Or turning the network connection off.

You should look into the definition of DOS and various network/router/switch solutions:
http://en.wikipedia.org/wiki/Denial-of-service_attack

If you want to restrict access to your site by IP address, then you can configure Tomcat to deny access except for certain IP addresses.  That doesn't prevent DOS, but it limits your exposure.  See this FAQ for info on IP address restriction:
http://wiki.apache.org/tomcat/FAQ/Security
This isn't practical for most sites because they are public, but if yours is a private webapp, then you could do it.
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 36527839
DOS also happened such that web server (or even web appl) cannot handle malformed packet exhausting their internal resources e.g. web appl is prevented such that a buffer cannot recycle for use and demand of resource is shoring rapidly. There is a previous mention of slowloris HTTP attack that need not necessarily go for high bandwidth @ http://ha.ckers.org/slowloris/ 

Such vulnerability are typically not easy to surface from the normal testing but need more thorough round of testing. OWASP released a testing guide and pg 281 covers denial of service testing. It gives some useful use case checks

@ https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

We do want to remove the low hanging fruit that easily trigger off sort of web attack but generally DoS attacks are beyond the scope of what an application developer can prevent within their own code.

There would not be 100% secure codes but minimally developer play their part to adopt secure coding and the overall architecture design adopt a security architecture principle. Check out this OWASP ref and its cheatsheets for the developer

@ https://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet

There are also security tips from Apache HTTP Server configuration settings to help mitigate problems

@ http://httpd.apache.org/docs/2.3/misc/security_tips.html

Overall, I will suggest to look at web application firewall as well for layered defences

@ http://blog.cherouvim.com/simple-dos-protection-with-mod_security/ 



 
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37175654
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers learn about the “while” loop and how to utilize it correctly in Java. Additionally, viewers begin exploring how to include conditional statements within a while loop and avoid an endless loop. Define While Loop: Basic Example: Explanatio…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question