users@glassfish.java.net

Re: glassfish DoS attack test - confirmed

From: Oleksiy Stashok <Oleksiy.Stashok_at_Sun.COM>
Date: Sun, 07 Feb 2010 21:08:36 +0100

Hi,

> Decreasing the keepalive is a good idea, but slowaris does test for
> keepalive timeout, and crafts packets accordingly.
> I tried enabling upload-timeout-enabled from the admin console, but
> it would kick it false as soon as you save it.
It could be some issue with admin GUI. Can you pls. try to change it
in domain.xml directly? By updating upload timeout I was able to get
GF working fine even with slowaris script running.

> Also, there was a previous discussion on this list about
>
> <http>
> <io-timeout>15</io-timeout>
> <request-header-timeout>5</request-header-timeout>
> <request-body-timeout>5</request-body-timeout>
> </http>
>
> protecting againist these kind of attacks, but that only worked in
> Sun's App Server.
Right, GF doesn't support those elements.

WBR,
Alexey.
>
> Best.
>
> On Sun, Feb 7, 2010 at 6:00 PM, <jcfolsom_at_pureperfect.com> wrote:
>>
>> It seems like there should be something for apache that actually
>> works to
>> shut down denial of service attacks, that way it would work for every
>> application server not just glassfish. If mod_evasive doesn't work,
>> I guess
>> I will have to write something that does.
>>
>>
>> -------- Original Message --------
>> Subject: Re: glassfish DoS attack test - confirmed
>> From: Oleksiy Stashok <Oleksiy.Stashok_at_Sun.COM>
>> Date: Sun, February 07, 2010 6:46 am
>> To: users_at_glassfish.dev.java.net
>>
>> Hi,
>> you can decrease time GF waits for incoming connection data by
>> setting
>> upload timeout setting in domain.xml like [1].
>> For sure after decreasing this value you can forget about
>> "telneting" to GF,
>> but it should help with such kind of DoS attacks.
>> WBR,
>> Alexey.
>> [1]
>> <network-config>
>> <protocols>
>> <protocol name="http-listener-1">
>> <http max-connections="0" default-virtual-server="server" server-
>> name=""
>> upload-timeout-enabled="true" connection-upload-timeout-
>> millis="1000">
>> On Feb 7, 2010, at 8:58 , Cam Bazz wrote:
>>
>> mod_jk and mod_evasive are now working perfectly with my glassfish
>> v3.
>> I found out that the new procedure described by jfarcand is much
>> easier than the older mod_jk configs.
>> unfortunately, even though mod_evasive works (like after clicking
>> refresh repetitively gets you a 403) slowsaris.pl still effects gf
>> v3.
>>
>> best.
>>
>> On Sun, Feb 7, 2010 at 3:13 AM, <jcfolsom_at_pureperfect.com> wrote:
>>
>> mod_evasive is the only thing that I know of that is HTTP specific.
>> Really
>>
>> though, ddos is an network issue and not specific to even IP let
>> alone HTTP.
>>
>> I don't know enough about firewalls though to help you out, but
>> please keep
>>
>> us posted on what you find.
>>
>>
>> -------- Original Message --------
>>
>> Subject: Re: glassfish DoS attack test - confirmed
>>
>> From: Cam Bazz <cambazz_at_gmail.com>
>>
>> Date: Sat, February 06, 2010 7:01 pm
>>
>> To: users_at_glassfish.dev.java.net
>>
>> well, right when i was reading about mod_evasive, on
>>
>> http://bahumbug.wordpress.com/2009/06/21/slowloris/ - that someone
>>
>> commented that mod_evasive was not able to defend againist slowaris
>>
>> Best.
>>
>> On Sun, Feb 7, 2010 at 1:50 AM, Cam Bazz <cambazz_at_gmail.com> wrote:
>>
>> ah thank you jcfolsom... any documentation about this? best..
>>
>> On Sun, Feb 7, 2010 at 1:42 AM, <jcfolsom_at_pureperfect.com> wrote:
>>
>> It's probably a good idea to run Glassfish behind Apache with
>> mod_evasive
>>
>> instead of on the public web.
>>
>>
>> -------- Original Message --------
>>
>> Subject: glassfish DoS attack test - confirmed
>>
>> From: Cam Bazz <cambazz_at_gmail.com>
>>
>> Date: Sat, February 06, 2010 5:21 pm
>>
>> To: users_at_glassfish.dev.java.net
>>
>> Hello,
>>
>> Investigating why my glassfish v3 pauses, and following a previous
>>
>> thread on this list, i have found that the slowaris.pl perl script,
>>
>> does indeed bring glassfish v3 to its knees. It will not leave
>>
>> anything in the access logs, nor the server logs, but it does cause
>>
>> the same effect (glassfish pausing for certain period of times,
>>
>> usually until these threads times out)
>>
>> I have not verified the attack signature, which means that I dont
>> know
>>
>> if my glassfish is having problems because of an attack, but I have
>>
>> run the exploit script againist my own server, and it generates the
>>
>> same effect.
>>
>> I also have made a simple program that just connects to a
>> pingservlet,
>>
>> which just prints new date, and the total connection time is measured
>>
>> so I could study the problem methodically.
>>
>> Best Regards,
>>
>> -C.B.
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>> --------------------------------------------------------------------- To
>>
>> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>>
>> additional
>>
>> commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>> ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>> --------------------------------------------------------------------- To
>>
>> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>> additional
>>
>> commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>> --------------------------------------------------------------------- To
>> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>> additional
>> commands, e-mail: users-help_at_glassfish.dev.java.net
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>