The last two days our Tomcat 5.5 Linux-based webserver has been broken down within minutes by starting thousands of downloads and stopping them. Some request paths in the access log end with a "?jfkdsjkfsdk"-like part. Is there a known vulnerability of Tomcat systems for such attacks?
Update:
We are currently running pure Tomcat, no Apache.
Best Answer
Connecting thousands of times is a known "vulnerability" of any server with a maxconnections setting (or which uses a lot of resources per connection). As a DDOS, most likely they're not "stopping" the download, they're just cutting the connection without so much as a RST packet so the connection hangs around until it times out or using something like
trickleto only acknowledge a few bytes at a time to keep the connection from timing out.Anything you do to mitigate this will depend on your entire setup. Assuming you are currently using apache+mod_jk+tomcat, then in addition to Bart's fail2ban, I would look into mod_security to detect the possibly malicious requests and refuse them. Another idea is if you really are using tomcat to send static data, moving the static data to be served directly from apache (or a lightweight server like lighttpd or nginix) using a
static.example.comdomain. Or, if you need to have your code decide which file to send, consider using mod_xsendfile in apache to serve static files "pointed to" by your app, which would let tomcat finish the request and move on while apache handled the file (rather than keeping both apache and tomcat busy sending the file).