-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 3/14/2015 12:32 PM, Petr Nemecek wrote: > Hello, > > our webapp, that is deployed in Tomcat 8.0.18, was tested positive > as vulnerable to the slow http denial of service: "By using a > single computer, it is possible to establish thousands of > simultaneous connections and keep them open for a long time. During > the attack, the server was rendered unavailable." > > Any idea what to do with this? > > Many thanks, Petr Nemecek
Google the following: tomcat 7 slow loris mitigation There are several discussions on how to mitigate this. Bugzilla entry for Tomcat 6.0.36: https://bz.apache.org/bugzilla/show_bug.cgi?id=54263 Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6750 It looks like suitably a suitably configured firewall or mod_reqtimeout http://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html are the available solutions. . . . just my two cents /mde/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVBJleAAoJEEFGbsYNeTwtODYH/14GPkOUZ8Kt2up6CbhQVQQW nMgZ5dqh9XtsJ/ov+MNuvrf7DQqK0T5Bb/X6Eh1f1yH62efXREnVDumEmjcdFDwu vwucjnRobvRoUPb74/neBm2cMgVX7LwKIQVCHO0oRilO5gn8fPAGgeGTP8Ci7YQS lJcaecWwEBlpPWzTS1SGDpicsYdq1zdg6SbhWM+35Qt4BAoVMYX3cE2y0KmusS9l dFN/V2z6TA5tSv4/mR0Ho9I0t6AcrraVUHnWJbZ6GL7KcLfQeFROQHu0+9SBW1aI l2V1/gQj1my571PaZNGdst/0855A7eRJ4nd/qOo1J4DHWn1i8ockKlAUTULyBi4= =Yyqi -----END PGP SIGNATURE----- --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
