wood burning stoves 2.0*
The moose likes Servlets and the fly likes Is it possible securing a Servlet application from a Denial of Service attack? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Is it possible securing a Servlet application from a Denial of Service attack?" Watch "Is it possible securing a Servlet application from a Denial of Service attack?" New topic
Author

Is it possible securing a Servlet application from a Denial of Service attack?

Rogerio Kioshi
Ranch Hand

Joined: Apr 12, 2005
Posts: 689


SCEA 5 (part 1), SCBCD, SCWCD, SCJP, CLP, CLS
Sunny Wear
author
Greenhorn

Joined: Jul 25, 2005
Posts: 17
Hello Rogerio,
Thank you for your question. I think a proper answer would require more detail about the architecture of your application.


"So this is how liberty dies - to thunderous applause" -- Padme (Star Wars - Episode III)
paul nisset
Ranch Hand

Joined: May 13, 2009
Posts: 165
Hi,
This might be naiive ,but a generic approach might be to configure the app to use a front end servlet as a single entry point of entry to the application and control access that way.
If the application is under what you define as a heavy load grab the ServletRequest getRemoteAddr() method and block that address with a servlet filter.

In the case where the attack comes from zombie machines with different senders the idea is the same .You develop a strategy to filter the requests.

http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Servlets8.html

-Paul
Yvette Schat
Ranch Hand

Joined: Dec 05, 2011
Posts: 64
Hi Paul,

...but what would be the best thing just before
...i.e. how can the servlet discover it's under
heavy load?

Thank you,

Yvette
Jarek Wa
Greenhorn

Joined: Jan 12, 2012
Posts: 6
Hi Rogerio,
Your application server might be helpful in this case. For example Weblogic Server can be explicitly configured to secure these types of attacks.
Please check docs of application server that you use
paul nisset
Ranch Hand

Joined: May 13, 2009
Posts: 165
Hi Yvette,


It depends on your server set up. As Jarek pointed out,if you can filter it at the web server/app server level before it gets to the app ,that is a better solution.

If you decided to do it in the app, as the original post asked, you could put in a timer in the servlet filter that runs in a separate thread and counts the number of times the servlet gets called over a fixed time period like every minute or so. Then reset the counter when the time period expires.

-Paul

 
 
subject: Is it possible securing a Servlet application from a Denial of Service attack?