整改建議
1.中斷使用URL不支援HTTP方法訪問的會話
2.限制HTTP頭及包長至一個合理數值
3.設定一個絕對的會話逾時時間
4.伺服器支援backlog的情況下,需設定一個合理的大小
5.設定一個最小的入站資料轉送速率
滲透狀況:
安全掃描+手工測試。
漏洞原理:
掃描發現Web
伺服器或應用程式伺服器存在Slow HTTP Denial of Service Attack漏洞。
漏洞危害:
當惡意攻擊者以很低的速率發起HTTP請求,使得服務端長期保持串連,這樣使得服務端容易造成佔用所有可用串連,導致拒絕服務
-----------------------------------------------------------------------
嘗試解決:
1.Just in case : for a plain Tomcat the corresponding solution is to add :
org.apache.tomcat.util.http.Parameters.MAX_COUNT=10000
in catalina.properties
2. maxHttpHeaderSize="8192" 設定限制HTTP頭及包長
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" disableUploadTimeout="true" />
3 [機房建議] tomcat設定檔server.xml 中參考以下設定(注意相應的連接埠,需重啟服務): ${tomcat-home}/conf/server.xml 中更改Connector的實現,使用nio(非阻塞io)實現替換預設的bio(阻塞io)實現,可以提高並發串連的數量,參考下面的:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
改為
<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="8000"
redirectPort="8443" />
把connectionTimeout配置項值改成8000左右(即8秒) 4 stackflow建議 使用apahce + tomcat 利用Apache進行阻擋.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
