dev@grizzly.java.net

Re: grizzly & flooding + dos protection

From: gustav trede <gustav.trede_at_gmail.com>
Date: Tue, 27 Jan 2009 09:14:38 +0100

Any real deployment should have dedicated firewall software / hardware.

2009/1/27 Jeanfrancois Arcand <Jeanfrancois.Arcand_at_sun.com>

> Salut,
>
> rama wrote:
>
>> Dear friends,
>>
>> A question is coming to my mind regarding flood protection of webserver.
>>
>> There are some "facilities" included on grizzly (apart tuning the
>> keepalive) that will help to protect agains flood?
>>
>
> Yes (at least for http), you can configure how large you want the request
> queue can be. By default, we set it to 4096. What it means is if you have
> set Grizzly to use 5 WorkerThreads, as soon as those worker thread are busy
> the request will be queued, and that queue can grow until 4096. Or course
> as soon as a WorkerThread is ready one request is dequeue and executed. If
> there is more than 4096, we just close the connection and avoid wasting any
> resources.
>
> You can also improve the time spend when reading the http headers. If the
> client takes too much time (because it try to do a DoS) sending the bytes,
> you can configure that value as well. Right now it is 30 seconds, but you
> may want to reduce that value to 10 or 15 seconds. Same for the write
> operations: if the remote client read too slowly, you can also ask Grizzly
> to times out/reject those slow client.
>
>
>
>> On lighttpd, there is a mod called mod_evasive, that will allow only N
>> connection x IP, the other C-N connection are delayed a bit, this to
>> slowdown connection that coming from the same ip all at the same time.
>>
>> I don't know if this mod is of any usage, probably not, but anyway the
>> question is....
>>
>
> That's interesting. We can probably support something similar.
>
>
>> "what kind of dos & flooding protection are implemented to grizzly? how i
>> can use it or tune it?"
>>
>
> Does the above help? It is very minimal protection, but I would think it
> can be quite useful...
>
> A+
>
> -- Jeanfrancois
>
>
>
>
>>
>> best regards
>>
>> Rama
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_grizzly.dev.java.net
>> For additional commands, e-mail: dev-help_at_grizzly.dev.java.net
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: dev-help_at_grizzly.dev.java.net
>
> 


-- 
regards
 gustav trede
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.