-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brandon,
On 6/12/13 12:33 PM, Brandon McCombs wrote: > So it seems that although there is a chance of Tomcat being > vulnerable [to Slowloris] it isn't a sufficiently large risk to > warrant being addressed and is in fact categorized as a low risk. That depends upon your perspective. Unfortunately, Slowloris is a fairly effective weapon under certain conditions. The reason it's difficult to mitigate is that it is not really possible to differentiate a Slowloris attack from a client using a really crappy connection (mobile, etc.) from just a single sample (i.e. one request). mod_security and a few other httpd modules can do things like detect multiple connections from a single host acting funny and kill them all. Tomcat has no such built-in mitigations. If you use the NIO connector (or APR?), you can at least limit the DOS to exhausting your file handles, since the headers are read asynchronously and therefore don't tie-up threads during that loooong, slow request. Setting a reasonable connectionTimeout (default: 60s, default-configuration: 20s) can abort a connection somewhat early, but a Slowloris client that sends a request line immediately and then sends one byte per second in a chunked request can tie you up virtually forever. You can also tweak connectionUploadTimeout. You could write a Valve that queued pending requests including a start-time and periodically sweep that queue for long-running requests but you would a) find it difficult to identify true attacks versus other factors and b) it's very messy to kill a request's socket while the client is still sending. (Search the archives for posts about aborting client-uploads for further, related reading). > So that's good enough for me. It's nice to hear someone come onto the list asking about a CVE and ultimately say "wow, that sucks, but I guess it's okay to leave things alone." Mostly, people come and demand patches so they can pass a security audit ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRuMHDAAoJEBzwKT+lPKRYOQkP/iA778vfIw6x7/wbWmDkKCrV 0QvOhjnZbm+Fxqq2XIpzGnrYyoJwK9lLSr8FfVn7g7LlN0DcLaG/aNIIzxusWh/+ 4AN8W6qXdDWnGxQMEhX/zZDNWqlj0CV/YQ/JM2DiU9whPuWzIENmAUiHD5t5l9Sj fCe9AMgylgZUyUs2LpditJmXsdbWC6bP4nQf72AYysY1LXLRGsxrcLjHGe+lOXhq 9M+G/rhG1u1AVMOvZDc9kEJESC/XgyQvgejf6T/5gZge2RGxyT22D1vTUfo1yVBZ 7bQdtoSvQJbMzk2dnV+ISj+pkcU6yNUq7W8XZc4jqMXlWNaB6m5uCCbZSgFqpQz0 ee9xDl3G/7ELr8ujSSgJlpJp6jzh+5wWCqvYcQegyMjICzbY83lZxdTQTZqQhIJ5 7Scot/QrleC0ziLl9XWFX8LLFGoIQ/Gzwt2KYbmUrL4UadcyN52XRYfs3n9Qm4ll DAb8/P5dXfI+SII6sQ51eGWg7fT3M+WAuh8MCrB8EuZaoWAXYn+SJuoBFGFfULrd xPPaCHPdCE3FRGtt2CRxSUXlWJhWjblvy5Sjp64FNr6t8JLEa6Hv48w+EDZhyYj0 Aumn38/9CZqZyajcUP8pMEU4cuNKXyH8FV2Icqde0AF/69h9KLPmarz56PhhsgRk DWu5psesFCU+v3AZX/dP =Q9Dt -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
