Webmaster Forum / ColdFusion / Getting Started / October 2004

Hi all,

Does anyone know any prevention for simple denial of service attacks when
running Coldfusion MX 6.1 under Jrun (with the latest upgrades).

I can think of 2 easy to perfom attacks:

1) Block the Server by just reloading the page as fast as you can (e.g.
staying on F5 in the IE) that means that the same  session (or the same client)
is blocking the whole server or filling the whole threadpool (and queue) if
jrun.

2) Block the Server with a Web-Stress Tool, so that (maybe) different
Client-Sessions from one IP are blocking the Server (I won?t consider the more
difficult case of a distributed attack from different IPs).

Is there any way to limit the number of  requests are beeing made from a
single client(-session) or a single IP adress in a certain time intervall in
jrun??

As a workaround to prevent attack 1) I wrote some code lines - they measure
the time between 2 requests performed by one session. If the time is under a
certain limit the request aborts
   
<cfset maxTime = 200 />
<cfset tickCount = GetTickCount() />
<cfif not isDefined('SESSION.lastAccessTime')>
    <cfset SESSION.lastAccessTime = tickCount />
<cfelse>
<cfset timeDiff = tickCount - SESSION.lastAccessTime />
    <cfset SESSION.lastAccessTime = tickCount />
    <!--- between 2 requests there must be a delay of 200 ms  (otherwise
abort!)--->
    <cfif timeDiff lt maxtime>
           <cfabort/>
    </cfif>
</cfif>

I don?t know if this is a good method but it seem to work (under normal
cirumstances, see below).

For attack 2) I also wrote some code that checks how often a request is beeing
made from a certain IP-adress. Therefor I collect all IPs (over
cgi.remote_adress) in a HashMap (IP : request_count) in the Application Scope.
For every request I check how often the calling IP was sending requests during
a certain time intervall. If the number is too high I block request from this
ip (for a while).

The problem with both approaches is, that they only seem to work if I the
number of simultanious requests is not too high (less than 100/second) - If the
server is under heavy load it seems to take a lot of time until my code (at top
of Application.cfm) is reached and therefor the time mechanism (mesuring
requests during a certain time intervall) fails cause all requests are delayed.

If I use a web stress tool (like the free one from microsoft) which allows me
to send up to more then 100 requests from different clients from one ip, I
cannot prevent that the threadpool (and queue) gets filled and the server is
blocked.

So which possibilies do I have preventing those attacks CFMX under Jrun?
Are there possibilities by modifying the following configurations in a certain
way:
- jrun configuration
- apache configuration (problem: stateless?)

All I could see there (and also from other posts in different forums) was the
ability to set how many threads should perform at once and how many threads
should be queued by jrun. But there are no settings concering
client(session)->maximum threads or ip->maximum threads.

I think this is a major problem that everyone has,
so Thanks for any help!

Jan