Google Git
Sign in
eclipse / www.eclipse.org / jetty / 91ee8ce97e3d6d253267f310577320c4f876d0ae / . / documentation / 9.0.6.v20130930 / dos-filter.html
blob: 495978ddedc174064d30ff8daaeca3c0e4e313bb [file] [log] [blame]
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Denial of Service Filter</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL-NS Stylesheets V1.76.1"><meta name="keywords" content="jetty, servlet-api, cometd, http, spdy, eclipse, maven, java, software"><link rel="home" href="index.html" title="Jetty : The Definitive Reference"><link rel="up" href="advanced-extras.html" title="Chapter&nbsp;20.&nbsp;Bundled Servlets, Filters, and Handlers"><link rel="prev" href="qos-filter.html" title="Quality of Service Filter"><link rel="next" href="gzip-filter.html" title="Gzip Filter"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><script type="text/javascript" src="js/shCore.js"></script><script type="text/javascript" src="js/shBrushJava.js"></script><script type="text/javascript" src="js/shBrushXml.js"></script><script type="text/javascript" src="js/shBrushBash.js"></script><script type="text/javascript" src="js/shBrushJScript.js"></script><script type="text/javascript" src="js/shBrushSql.js"></script><script type="text/javascript" src="js/shBrushProperties.js"></script><script type="text/javascript" src="js/shBrushPlain.js"></script><link type="text/css" rel="stylesheet" href="css/shCore.css"><link type="text/css" rel="stylesheet" href="css/shThemeEclipse.css"><link type="text/css" rel="stylesheet" href="css/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small">
Version: 9.0.6.v20130930</span></td><td style="width: 50%"><script type="text/javascript"> (function() {
var cx = '016459005284625897022:obd4lsai2ds';
var gcse = document.createElement('script');
gcse.type = 'text/javascript';
gcse.async = true;
gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
'//www.google.com/cse/cse.js?cx=' + cx;
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(gcse, s);
})();
</script><gcse:search></gcse:search></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Denial of Service Filter</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="qos-filter.html"><i class="icon-chevron-left"></i> Previous</a>&nbsp;</td><th width="60%" align="center">Chapter&nbsp;20.&nbsp;Bundled Servlets, Filters, and Handlers<br><a accesskey="p" href="index.html"><i class="icon-home"></i> Home</a></th><td width="20%" align="right">&nbsp;<a accesskey="n" href="gzip-filter.html">Next <i class="icon-chevron-right"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/support.jsp">Contact the core Jetty developers at
<span class="website">www.webtide.com</span></a></h5><p>
private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ...
scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="dos-filter"></a>Denial of Service Filter</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="dos-filter.html#dos-filter-metadata">Info</a></span></dt><dt><span class="section"><a href="dos-filter.html#dos-filter-usage">Usage</a></span></dt><dt><span class="section"><a href="dos-filter.html#dos-filter-using">Using the DoS Filter</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="dos-filter-metadata"></a>Info</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Classname: <code class="code">org.eclipse.jetty.servlets.DoSFilter</code></p></li><li class="listitem"><p>Maven Artifact: org.eclipse.jetty:jetty-servlets</p></li><li class="listitem"><p>
Javadoc: <a class="link" href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/servlets/DoSFilter.html" target="_top">http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/servlets/DoSFilter.html</a>
</p></li><li class="listitem"><p>
Xref: <a class="link" href="http://download.eclipse.org/jetty/stable-9/xref/org/eclipse/jetty/servlets/DoSFilter.html" target="_top">http://download.eclipse.org/jetty/stable-9/xref/org/eclipse/jetty/servlets/DoSFilter.html</a>
</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="dos-filter-usage"></a>Usage</h3></div></div></div><p>
The Denial of Service (DoS) filter limits exposure to request flooding, whether malicious, or as a result of a misconfigured client. The DoS filter keeps track of the number of requests from a connection per second. If the requests exceed the limit, Jetty rejects, delays, or throttles the request, and sends a warning message. The filter works on the assumption that the attacker might be written in simple blocking style, so by suspending requests you are hopefully consuming the attacker's resources. The DoS filter is related to the QoS filter, using Continuations to prioritize requests and avoid thread starvation.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="dos-filter-using"></a>Using the DoS Filter</h3></div></div></div><p>
Jetty places throttled requests in a priority queue, giving priority first to authenticated users and users with an HttpSession, then to connections identified by their IP addresses. Connections with no way to identify them have lowest priority. To uniquely identify authenticated users, you should implement the The extractUserId(ServletRequest request) function.
</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="d0e12451"></a>Required JARs</h4></div></div></div><p>
To use the DoS Filter, these JAR files must be available in WEB-INF/lib:
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
$JETTY_HOME/lib/ext/jetty-util.jar
</p></li><li class="listitem"><p>
$JETTY_HOME/lib/ext/jetty-servlets.jar
</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="d0e12463"></a>Sample Configuration</h4></div></div></div><p>
Place the configuration in a webapp's web.xml or jetty-web.xml. The default configuration allows 25 requests per connection at a time, servicing more important requests first, and queuing up the rest. This example allow 30 requests at a time:
</p><div class="informalexample"><script type="syntaxhighlighter" class="brush: xml;toolbar: false">
<![CDATA[
<filter>
<filter-name>DoSFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.DoSFilter</filter-class>
<init-param>
<param-name>maxRequestsPerSec</param-name>
<param-value>30</param-value>
</init-param>
</filter>
]]>
</script></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="dos-filter-init"></a>Configuring DoS Filter Parameters</h4></div></div></div><p>
The following init parameters control the behavior of the filter:
</p><div class="variablelist"><dl><dt><span class="term">maxRequestsPerSec</span></dt><dd><p>
Maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. Default is 25.
</p></dd><dt><span class="term">delayMs</span></dt><dd><p>
Delay imposed on all requests over the rate limit, before they are considered at all:
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
100 (ms) = Default
</p></li><li class="listitem"><p>
-1 = Reject request
</p></li><li class="listitem"><p>
0 = No delay
</p></li><li class="listitem"><p>
any other value = Delay in ms
</p></li></ul></div><p>
</p></dd><dt><span class="term">maxWaitMs</span></dt><dd><p>
Length of time, in ms, to blocking wait for the throttle semaphore. Default is 50 ms.
</p></dd><dt><span class="term">throttledRequests</span></dt><dd><p>
Number of requests over the rate limit able to be considered at once. Default is 5.
</p></dd><dt><span class="term">throttleMs</span></dt><dd><p>
Length of time, in ms, to async wait for semaphore. Default is 30000L.
</p></dd><dt><span class="term">maxRequestMs</span></dt><dd><p>
Length of time, in ms, to allow the request to run. Default is 30000L.
</p></dd><dt><span class="term">maxIdleTrackerMs</span></dt><dd><p>
Length of time, in ms, to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it. Default is 30000L.
</p></dd><dt><span class="term">insertHeaders</span></dt><dd><p>
If true, insert the DoSFilter headers into the response. Defaults to true.
</p></dd><dt><span class="term">trackSessions</span></dt><dd><p>
If true, usage rate is tracked by session if a session exists. Defaults to true.
</p></dd><dt><span class="term">remotePort</span></dt><dd><p>
If true and session tracking is not used, then rate is tracked by IP+port (effectively connection). Defaults to false.
</p></dd><dt><span class="term">ipWhitelist</span></dt><dd><p>
A comma-separated list of IP addresses that will not be rate limited.
</p></dd><dt><span class="term">managedAttr</span></dt><dd><p>
If set to true, then this servlet is set as a ServletContext attribute with the filter name as the attribute name. This allows a context external mechanism (for example, JMX via ContextHandler.MANAGED_ATTRIBUTES) to manage the configuration of the filter.
</p></dd></dl></div></div></div></div><script type="text/javascript">
SyntaxHighlighter.all()
</script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="qos-filter.html"><i class="icon-chevron-left"></i> Previous</a>&nbsp;</td><td width="20%" align="center"><a accesskey="u" href="advanced-extras.html"><i class="icon-chevron-up"></i> Top</a></td><td width="40%" align="right">&nbsp;<a accesskey="n" href="gzip-filter.html">Next <i class="icon-chevron-right"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Quality of Service Filter&nbsp;</td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="icon-home"></i> Home</a></td><td width="40%" align="right" valign="top">&nbsp;Gzip Filter</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout">
See an error or something missing?
<span class="callout"><a href="http://github.com/jetty-project/jetty-documentation">Contribute to this documentation at
<span class="website"><i class="icon-github"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2013-10-30T13:20:36-05:00)</i></span></div></p><script xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-1149868-7']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script></body></html>