You proposal is based on determination that the request is 'from the same
client'. What is your definition for a 'client' and how do you determine if
two requests are form the same client ?
Tal
> -Original Message-
> From: Scott Christley [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, Ja
Scott Christley typed the following on 10:54 AM 1/17/2001 -0800
>I must apologize first by saying that I originally found this bug with
>Jserv not Tomcat, but those of you who are familiar with Tomcat
>internals can probably tell fairly quickly if this would still be an
>issue.
It could potential
What's a client? For instance, if it's truly an attack, it would be
trivial to spoof IP addresses. And with entire corporations behind
NAT firewalls, simply setting the number of sessions per IP addresses
to a `small' number would not work.
Or, are you saying, don't initiate a session until the
