On 24/02/2023 05:57, Manohar Mikkili wrote:
I am trying to emulate the slowloris DoS attack on Tomcat v9.0.71
Despite much deliberation, I failed to achieve this.
Since this CVE is a pretty old one(circa 2012) my guess is that the same
has been taken care of in the subsequent Tomcat releases. I could not find
any documented evidence that google has presented so far.
Can you someone from this august forum pls advise/validate my presumptions
about this?
This is CVE-2012-5568 (which should not have been allocated but that is
a different topic).
See:
https://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
https://tomcat.apache.org/security-impact.html
Newer version of Tomcat will be less susceptible to this attack since
they use non-blocking I/O.
That said, servers are always going to have a connection limit somewhere
and if an attacker can consume most/all of those connections with
traffic that appears to be legitimate you are going to see a DoS.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
