Tomcat Range attacks

Thanks, author of Tomcat 7, for appearing on this forum.

I'm trying to figure out if Tomcat is still vulnerable to Slowloris attacks.

and, if Tomcat is (or was) vulnerable to so-called Range attacks (http://serverfault.com/questions/317226/tomcat-denial-of-service) where a connection can be held open longer than expected because client has specified a range of bytes that overlap.

Hi Tim,

Sorry for the delay in reply
DOS (denial of services) is fixed in tomcat; can you please elaborate your question?

Thank you for the reply. I think you are asking me to elaborate on slowloris.

Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow.

When it first came out (in 2009), I tested Slowloris against Tomcat and found that it indeed tied up Tomcat and made it unresponsive. I became curious about it again these past few weeks and I've been searching for how Tomcat (and apacheHTTPD) have dealt with it. I can't find much written about it recently, so I thought I would ask.

I found these two articles, which explain the problem, but don't seem to offer a foolproof solution:

http://www.cert.org/blogs/certcc/2009/07/slowloris_vs_your_webserver.html

http://www.funtoo.org/wiki/Slowloris_DOS_Mitigation_Guide