Salut,
rama wrote:
> Dear friends,
>
> A question is coming to my mind regarding flood protection of webserver.
>
> There are some "facilities" included on grizzly (apart tuning the
> keepalive) that will help to protect agains flood?
Yes (at least for http), you can configure how large you want the
request queue can be. By default, we set it to 4096. What it means is if
you have set Grizzly to use 5 WorkerThreads, as soon as those worker
thread are busy the request will be queued, and that queue can grow
until 4096. Or course as soon as a WorkerThread is ready one request is
dequeue and executed. If there is more than 4096, we just close the
connection and avoid wasting any resources.
You can also improve the time spend when reading the http headers. If
the client takes too much time (because it try to do a DoS) sending the
bytes, you can configure that value as well. Right now it is 30 seconds,
but you may want to reduce that value to 10 or 15 seconds. Same for the
write operations: if the remote client read too slowly, you can also ask
Grizzly to times out/reject those slow client.
>
> On lighttpd, there is a mod called mod_evasive, that will allow only N
> connection x IP, the other C-N connection are delayed a bit, this to
> slowdown connection that coming from the same ip all at the same time.
>
> I don't know if this mod is of any usage, probably not, but anyway the
> question is....
That's interesting. We can probably support something similar.
>
> "what kind of dos & flooding protection are implemented to grizzly? how
> i can use it or tune it?"
Does the above help? It is very minimal protection, but I would think it
can be quite useful...
A+
-- Jeanfrancois
>
>
> best regards
>
> Rama
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: dev-help_at_grizzly.dev.java.net
>