• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Is it possible securing a Servlet application from a Denial of Service attack?

 
Rogerio Kioshi
Ranch Hand
Posts: 690
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
 
Sunny Wear
author
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Rogerio,
Thank you for your question. I think a proper answer would require more detail about the architecture of your application.
 
paul nisset
Ranch Hand
Posts: 236
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
This might be naiive ,but a generic approach might be to configure the app to use a front end servlet as a single entry point of entry to the application and control access that way.
If the application is under what you define as a heavy load grab the ServletRequest getRemoteAddr() method and block that address with a servlet filter.

In the case where the attack comes from zombie machines with different senders the idea is the same .You develop a strategy to filter the requests.

http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Servlets8.html

-Paul
 
Yvette Schat
Ranch Hand
Posts: 83
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Paul,

...but what would be the best thing just before
...i.e. how can the servlet discover it's under
heavy load?

Thank you,

Yvette
 
Jarek Wa
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Rogerio,
Your application server might be helpful in this case. For example Weblogic Server can be explicitly configured to secure these types of attacks.
Please check docs of application server that you use
 
paul nisset
Ranch Hand
Posts: 236
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Yvette,


It depends on your server set up. As Jarek pointed out,if you can filter it at the web server/app server level before it gets to the app ,that is a better solution.

If you decided to do it in the app, as the original post asked, you could put in a timer in the servlet filter that runs in a separate thread and counts the number of times the servlet gets called over a fixed time period like every minute or so. Then reset the counter when the time period expires.

-Paul

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic