HTTP Flood on Tomcat server causing issues

240 views Asked by At

I am getting hit with small HTTP floods on my apache server running port 80 which is proxying tomcat on port 8080.

Now what is happening is this is causing tomcat to create 100s - 1000s of sessions depending on how many clients get passed the cloudflare firewall(s) and my server ones (I have libapache2-mod-qos installed for my Apache server).

IPTABLES:


/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min \
    --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

example: enter image description here

Now this is causing major issues for me and if someone could help shed some light on how to get around this I would be greatful.

mod-qos conf:

<IfModule qos_module>
  # handle connections from up to 100000 different IPs
   QS_ClientEntries 100000
   # allow only 50 connections per IP
   QS_SrvMaxConnPerIP 10
   # limit maximum number of active TCP connections limited to 256
   MaxClients 256
   # disables keep-alive when 180 (70%) TCP connections are occupied
   QS_SrvMaxConnClose 180
   # minimum request/response speed
   # (deny slow clients blocking the server, keeping connections open without requesting anything
   QS_SrvMinDataRate 150 1200
</IfModule>
1

There are 1 answers

0
Pete On BEST ANSWER

As far as you know is this legitimate traffic and not part of a DOS / DDOS? I assume with cloudflare involved it is not however if so then it is best to have an IPS inspect the traffic at an application level and to deny it based on a matching attack signature.

If ligitmate then you will need to assess how the tomcat application is operating based on its code and logs being produced.

Maybe the Tomcat application is requiring the clients to send this data inbound.