6

We are using Tomcat 7 for our web application. We provide an XML based API so that our customers can communicate with our server in a machine-to-machine way (no web browser needed). The requests are processed by a servlet.

We need to prevent users from sending too many requests in a row. Some of the services we provide involve polling for results and users may make requests in a loop without any pauses, making dozens of requests per second for nothing.

How can we protect ourselves from being flooded with useless requests? Is there a simple way to block requests at the servlet entry level when there are too many requests originating from the same IP? Is there something built-in Tomcat to deal with this problem?

Improve this question

4 Answers 4

Reset to default
4

Assuming that you are using an apache reverse-proxy in front of tomcat (if you aren't you should be), use mod_cband on the apache layer.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You could code your own.

Starting points for looking at this would be the Servlet API, in particular the Filter interface and the getRemoteHost() method of the SerlvetRequest interface.

Should be easy enough to write a Filter implementation which stores a count of requests from each host and takes action if a limit exceeded.

Improve this answer

1 Comment

Speaking of, here's something I put together for this very purpose: code.google.com/p/zxing/source/browse/trunk/zxingorg/src/com/… It's quite basic, but may be enough for this purpose.
0

Spring Security has a lot of the features of Apache httpd's mod_security if you want a Java-only solution.

Improve this answer

Comments

0

Apache's mod_evasive or mod_security could cover for your need here. You may consider Cloudflare for more complexly serious attacks that will require hardware protection.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.