How to leave client waiting for Java JAX-RS service to prevent DOS -


i'm having issue web service users trying guess application ids looping on random ids.

the bad requests coming random ips, cannot ban ip (unless dynamically, i'm not looking yet).

currently when detect client has made 10 bad app id attempts put them on block list in app, , reject further requests ip day.

i want minimize amount of work server needs do, bad client continue send 1000s of requests though rejected. know there dynamic firewall solutions, want easy implement in app now. sleeping 5 seconds reduce calls, want not send response client, has timeout.

anyone know how in java, in jax-rs?

my service like,

@path("/api") public class myserver {  @get @consumes(mediatype.application_xml) @produces(mediatype.application_xml) @path("/my-request") public string myrequest(string type,     @context httpservletrequest requestcontext,     @context httpservletresponse response) { ... }

see: how stop hack/dos attack on web api

you looking asynchronous responses supported jax-rs. tutorial jersey contains examples on how implement asynchronous response request.

with asynchronous responses, thread resposible answering request freed handling request before request completed. feature activated adding parameter @suspended annotation. need additionally, register dedicated scheduler responsible waking requests after given time-out in example:

@path("/api") public class myserver {    private scheduledexecutorservice scheduler = ...;    @get   @consumes(mediatype.application_xml)   @produces(mediatype.application_xml)   @path("/my-request")   public string myrequest(string type,                           @context httpservletrequest requestcontext,                           @context httpservletresponse response,                           @suspended asyncresponse asyncresponse) {     scheduler.schedule(new runnable() {       @override       public void run() {         asyncresponse.resume(...)       }     }, 5, timeunit.second);   } }

this way, no thread blocked waiting time of 5 seconds gives opportunity handling other requests in mean time.

jax-rs not offer way of discaring request without answer. need keep connection open prodcue time out, if terminate connection, user notfied of termination. best never answer asynchronous request still consume ressources. if wanted avoid this, have solve problem outside of jax-rs, example proxying request server.

one way set mod_proxy answer proxy error code mallicious requests , set large retry limit such requests.


Comments

Post a Comment

Popular posts from this blog

1111. appearing after print sequence - php -

morning, i have code takes string of shoe sizes, explodes , puts in table. code works , info displayed correctly on page after table there few 1's after table. i'm confused this. so table looks (in columns of 3 on webpage) available in following sizes: 3 4 5 6 9 10 111 here's codes, purpose of example $x = 3|4|6|10|9 function get_sizes_pipe($x) { $counter = 0; $splits = explode("|",$x); asort($splits); $x = print "<table class='greentable'>"; $x .= print "<thead><tr><th scope='col' colspan='3' abbr='starter'>available in following sizes:</th></tr></thead><tbody><tr>"; foreach ($splits $split) { $entry = print "<td>".$split."</td>"; if($counter == 2){ $entry .= print "</tr><tr>"; $counter =0; } else { $counter++; ...
Read more

java - WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/board/] in DispatcherServlet with name 'appServlet' -

this question has answer here: why spring mvc respond 404 , report “no mapping found http request uri […] in dispatcherservlet”? 3 answers i trying making simple bbs i'm encountering following error, warn : org.springframework.web.servlet.pagenotfound - no mapping found http request uri [/board/] in dispatcherservlet name 'appservlet' i have tried solve error many times, have failed. how can solve error? here web.xml, controllerand , servlet-context. my web.xml <?xml version="1.0" encoding="utf-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <filter> <filter-nam...
Read more

Ruby on Rails, ActiveRecord, Postgres, UTF-8 and ASCII-8BIT encodings -

weirdest error, who’s challenge try , me? spent hours yesterday on , it’s magic. can't believe happening , it's driving me crazy. btw, using: rails 4.2.3 ruby 2.2.3 pg 0.18 encoding.default_internal = encoding.default_external = utf-8 config.encoding = 'utf-8' it has postgres, activerecord , encodings! turns out we’ve been getting these errors whenever create new users on database special characters: encoding::undefinedconversionerror: "\xc3" ascii-8bit utf-8 \xc3 may vary depending on characters. weird part we’ve set since beginning utf-8. makes no sense , digged it, , used script: user.all.each |user| user.attributes.each |name, value| if value.is_a? string puts user.email + name.encoding.to_s + value.encoding.to_s end end end and output of 1 of users, users same: dr_lottahelp@blahblah.comutf-8utf-8 dr_lottahelp@blahblah.comutf-8ascii-8bit dr_lottahelp@blahblah.comutf-8ascii-8bit dr_lottahelp@blahblah.comutf-8asci...
Read more