Skip to main content

Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Jetty/Reference/DoSFilter

< Jetty‎ | Reference
Revision as of 17:38, 1 September 2010 by Unnamed Poltroon (Talk) (New page: {{Jetty Reference | introduction = The Denial of Service (DoS) filter limits exposure to request flooding, whether malicious, or as a result of a misconfigured client. The filter keeps tra...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)



Introduction

The Denial of Service (DoS) filter limits exposure to request flooding, whether malicious, or as a result of a misconfigured client. The filter keeps track of the number of requests from a connection per second. If the requests exceed the limit, Jetty rejects, delays, or throttles the request, and sends a warning message. This works on the assumption that the attacker might be written in simple blocking style, so by suspending requests you are hopefully consuming the attacker's resources. The DoS filter is related to the QoS filter, using Jetty/Feature/Continuations#Introduction/Continuations to prioritize requests and avoid thread starvation.

(required) Jetty places throttled requests in a priority queue, giving priority first to authenticated users and users with an HttpSession, then to connections identified by their IP addresses. Connections with no way to identify them have lowest priority. To uniquely identify authenticated users, you should implement the The extractUserId(ServletRequest request) function.

The following init parameters control the behavior of the filter:

maxRequestsPerSec the maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. delayMs is the delay given to all requests over the rate limit, before they are considered at all. -1 means just reject request, 0 means no delay, otherwise it is the delay. maxWaitMs how long to blocking wait for the throttle semaphore. throttledRequests is the number of requests over the rate limit able to be considered at once. throttleMs how long to async wait for semaphore. maxRequestMs how long to allow this request to run. maxIdleTrackerMs how long to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it insertHeaders if true , insert the DoSFilter headers into the response. Defaults to true. trackSessions if true, usage rate is tracked by session if a session exists. Defaults to true. remotePort if true and session tracking is not used, then rate is tracked by IP+port (effectively connection). Defaults to false. ipWhitelist a comma-separated list of IP addresses that will not be rate limited managedAttr if set to true, then this servlet is set as a ServletContext attribute with the filter name as the attribute name. This allows context external mechanism (eg JMX via ContextHandler.MANAGED_ATTRIBUTES) to manage the configuration of the filter.

Retrieved from "https://wiki.eclipse.org/index.php?title=Jetty/Reference/DoSFilter&oldid=217901"

Back to the top