Solved

Tomcat Web Service Deny of service

Posted on 2011-09-12
4
301 Views
Last Modified: 2012-05-12
Hello everyone,

I developed a web service in Java (jaxws) under tomcat 6.

I want to protect from Denial of service, what is the best solution?

thx,
Ron.
0
Comment
Question by:ron44470
4 Comments
 
LVL 26

Assisted Solution

by:mrcoffee365
mrcoffee365 earned 250 total points
ID: 36527379
DOS is a network attack.  It's not usual to try to prevent DOS with a servlet engine's configuration.  You prevent DOS by monitoring unusual activity and responding -- usually by throttling access for a while.  Or turning the network connection off.

You should look into the definition of DOS and various network/router/switch solutions:
http://en.wikipedia.org/wiki/Denial-of-service_attack

If you want to restrict access to your site by IP address, then you can configure Tomcat to deny access except for certain IP addresses.  That doesn't prevent DOS, but it limits your exposure.  See this FAQ for info on IP address restriction:
http://wiki.apache.org/tomcat/FAQ/Security
This isn't practical for most sites because they are public, but if yours is a private webapp, then you could do it.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 36527839
DOS also happened such that web server (or even web appl) cannot handle malformed packet exhausting their internal resources e.g. web appl is prevented such that a buffer cannot recycle for use and demand of resource is shoring rapidly. There is a previous mention of slowloris HTTP attack that need not necessarily go for high bandwidth @ http://ha.ckers.org/slowloris/

Such vulnerability are typically not easy to surface from the normal testing but need more thorough round of testing. OWASP released a testing guide and pg 281 covers denial of service testing. It gives some useful use case checks

@ https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

We do want to remove the low hanging fruit that easily trigger off sort of web attack but generally DoS attacks are beyond the scope of what an application developer can prevent within their own code.

There would not be 100% secure codes but minimally developer play their part to adopt secure coding and the overall architecture design adopt a security architecture principle. Check out this OWASP ref and its cheatsheets for the developer

@ https://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet

There are also security tips from Apache HTTP Server configuration settings to help mitigate problems

@ http://httpd.apache.org/docs/2.3/misc/security_tips.html

Overall, I will suggest to look at web application firewall as well for layered defences

@ http://blog.cherouvim.com/simple-dos-protection-with-mod_security/



 
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37175654
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
What is the cheapest way to learn Websphere MQ? 2 58
mapBully challenge 6 93
topping3 challenge 14 52
mockito example issue 8 38
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
Viewers learn about the “while” loop and how to utilize it correctly in Java. Additionally, viewers begin exploring how to include conditional statements within a while loop and avoid an endless loop. Define While Loop: Basic Example: Explanatio…
This video teaches viewers about errors in exception handling.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now