|Re: [jetty-users] slowloris vulnerability|
Hi René,I've just run slowloris against Jetty 9. Besides the (expected) amount of established connections which move to FIN_WAIT_2 and CLOSE_WAIT, jetty doesn't care. As Jetty 9 is purely using NIO there's no threads being occupied for idle connections. Same should be the case for all NIO connectors in Jetty 8. During the slowloris attack Jetty 9 kept responding fast and unimpressed of the attack (again as expected).
Cheers, Thomas Am 8/5/13 8:42 AM, schrieb René Hartwig:
Hello, we're using the Acunetix vulnerability scanner to search for vulnerabilities in our application. Recently Acunetix discovered a slowloris vulnerability here : http://www.funtoo.org/wiki/Slowloris_DOS_Mitigation_Guide We're using Jetty Version 8.1.7.v20120910. Do you have any further knowledge of this vulnerability together with Jetty 8? It seems that the only possibility how this attack can be avoided is to set the maxIdleTime < 10sec which I do not like very much. Do you have any advice for me what I can do to avoid this finding, besides from setting the maxIdleTime so low? Thank you and best regards, René Hartwig -- René Hartwig Senior Developer *Befine Solutions AG - The Cryptshare Company* Bebelstraße 17 79108 Freiburg Germany Tel: +49 (0) 761 38913 0 Fax: +49 (0) 761 38913 115 E-Mail: _Rene.Hartwig@befine-solutions.com_ Internet: http://www.cryptshare.com ========================================================================= Your attachments are too large or too confidential for e-mail? Get to know Cryptshare! http://www.cryptshare.com ========================================================================= <http://www.facebook.com/cryptshare><http://www.linkedin.com/company/befine-solutions/products> Amtsgericht Freiburg HRB 6144 Vorstand Mark Forrest, Dominik Lehr Aufsichtsratsvorsitzender Thilo Braun _______________________________________________ jetty-users mailing list jetty-users@xxxxxxxxxxx https://dev.eclipse.org/mailman/listinfo/jetty-users
Back to the top