Set up a reverse-proxy server in front of Tomcat, such as Nginx, Lighttpd, or even Apache. If Tomcat is directly exposed to the Internet (without being teamed up with Apache), then your solution should be one of the following: Tomcat typically doesn't run as a webserver, it runs as an application server.
Below, "Apache" refers to the Apache HTTP Server, and not Tomcat. However, the traditional Apache webserver (officially called "The Apache HTTP Server Project") is frequently referred to simply as Apache. Note that Tomcat is part of the Apache Foundation, so technically it's called Apache Tomcat. Then use an Apache solution such as mod_reqtimeout or mod_antiloris. Unfortunately, the best option is to place the Tomcat service downstream from a web server that can better handle HTTP connections, such as Apache. mega-proxy), so the number of connections would need to be tuned reasonably - dependant on the traffic expected. This would, however, have side-effects if many users were legitimately connecting from a single IP (e.g. # iptables -A INPUT -p tcp -syn -dport 80 -m connlimit -connlimit-above 50 -j REJECT Of concurrent connections that can be established to port 80 from a single Here is an example of an iptables command which can be used to limit the number This will mitigate run-of-the-mill Denial of Service attacks but not distributed ones (DDoS). Use firewall rules to prevent too many connections from a single host. The Tomcat developers do not consider this to be a vulnerability, and have no plans to fix. More appropriate references there than the one you were given.
A CVE has been assigned specifically for this issue as it applies to Apache Tomcat: CVE-2012-5568.
0 kommentar(er)
