4

I had asked this question on ITSecurity, but I felt this question is better placed here.

On a recent assesment, I found that sending large (>5 MB) requests to a tomcat server causes 100% CPU usage on the server. The simplest fix that came to mind was to use the maxPostSize on the connector. However this did not help since the request I need to send is not "form-url-encoded". I read around to find that the maxPostSize is only applicable to that header.

So, what is the alternate way to stop such large packets right at the server before passing it on to the application ?

In other words: How do I prevent a DoS on a Tomcat server by from an attacker who sends multiple large data requests

sudhacker
  • 143
  • 6

2 Answers2

0

Which tomcat version are you using? and is the request data in the request parameter?

If it is not one of the last (>6.0.35 or >7.0.23), then it can be because of an hash collision vulnerability from the JVM (see CVE-2012-0022 ).

It is corrected from 6.0.34 and 7.0.23 by adding a maxParameterCount to the connector (defaults to 10000).

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

Cédric Couralet
  • 272
  • 1
  • 7
0

IF CédricC's answer won't help - use httpd with mod_security as frontend - there you can specify limits for anything...

GioMac
  • 4,444
  • 3
  • 24
  • 41
  • Yes, this is the solution I had in mind too. Hopefully, it should not increase the overhead too much. But since the tomcat uses SSL, I need to config httpd to use ssl and have a plain connection between tomcat and apache. – sudhacker Aug 06 '12 at 13:39
  • I'm using it with old mod_jk - no problems – GioMac Aug 06 '12 at 20:44