Rectification Suggestions
1. Interrupts using URLs that do not support HTTP method access
2. Limit HTTP headers and packet length to a reasonable value
3. Set an absolute session timeout time
4. The server supports the backlog case, needs to set a reasonable size
5. Set a minimum inbound data rate
Penetration Status:
Security Scan + Manual test.
The principle of vulnerability:
Scan Discovery Web
The server or application server has a slow HTTP denial of Service attack vulnerability.
Vulnerability Hazard:
When a malicious attacker initiates an HTTP request at a low rate, allowing the service side to remain connected for a long time, making the service side vulnerable to all available connections, resulting in a denial of service
-----------------------------------------------------------------------
Try to resolve:
1.Just in Case:for a plain Tomcat the corresponding solution are to add:
org.apache.tomcat.util.http.parameters.max_count=10000
In Catalina.properties
2. maxhttpheadersize= "8192" set limit HTTP headers and packet length
maxthreads= "minsparethreads=" maxsparethreads= "75"
Enablelookups= "false" redirectport= "8443" disableuploadtimeout= "true"/>
3 [Room recommendations] The Tomcat profile Server.xml the following settings (note the appropriate port, restart the service): ${tomcat-home}/conf/server.xml To change the implementation of connector, using NIO (non-blocking io) Implementation replaces the default bio (blocking IO) implementation to increase the number of concurrent connections, as follows:
<connector port= "8080" protocol= "http/1.1"
connectiontimeout= "20000"
redirectport= "8443"/>
To
<connector port= "8080" protocol= "Org.apache.coyote.http11.Http11NioProtocol"
connectiontimeout= "8000"
redirectport= "8443"/>
Change the ConnectionTimeout configuration entry value to around 8000 (8 seconds) 4 Stackflow recommends using Apache to block with Apahce + tomcat.