Problem Description:
It is called slow HTTP attack vulnerability in Chinese . HTTPPOST is used : When POSTing , specify a very large content-length , and then send packets at a very low speed, such as sending a byte in 10-100s , hold the connection and keep it from disconnecting. In this way, when there are too many client connections, all the available connections of the webserver are occupied, resulting in DOS .
solution:
Limit the maximum allowable time for the HTTP header transmission of the web server , and modify it to a maximum allowable time of 20 seconds . If the vulnerability still exists, you need to modify the maximum allowable time to a smaller value. In springBoot , write a configuration class to set Tomcat and set its connection timeout time. If there is still this vulnerability after setting, then the connection time needs to be reduced.
packagecom.qzt.common.config; importorg.apache.catalina.connector.Connector; importorg.apache.coyote.http11.Http11NioProtocol; importorg.springframework.boot.context.embedded.EmbeddedServletContainerFactory; importorg.springframework.boot.context.embedded.tomcat.TomcatConnectorCustomizer; importorg.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory; importorg.springframework.context.annotation.Bean; importorg.springframework.context.annotation.Configuration;
@Configuration publicclass WebServerConfiguration { @Bean publicEmbeddedServletContainerFactorycreateEmbeddedServletContainerFactory() { TomcatEmbeddedServletContainerFactorytomcatFactory = new TomcatEmbeddedServletContainerFactory(); // tomcatFactory.setPort(8081); tomcatFactory.addConnectorCustomizers(newMyTomcatConnectorCustomizer()); returntomcatFactory; } } classMyTomcatConnectorCustomizer implements TomcatConnectorCustomizer { publicvoid customize(Connector connector) { Http11NioProtocolprotocol = (Http11NioProtocol) connector.getProtocolHandler(); //设置最大连接数 // protocol.setMaxConnections(2000); //设置最大线程数 // protocol.setMaxThreads(2000); protocol.setConnectionTimeout(8000); //就是这一句起作用了 } } |
此问题的修复还有其他两种配置的方式(链接下有不同类对Tomcat进行设置):https://www.cnblogs.com/softidea/p/5751596.html