[jboss-jira] [JBoss JIRA] (WFLY-3797) Need post-timeout for WildFly / Undertow

Lyle Wang (JIRA) issues at jboss.org
Sun Dec 7 22:13:39 EST 2014 

    [ https://issues.jboss.org/browse/WFLY-3797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13025737#comment-13025737 ] 

Lyle Wang commented on WFLY-3797:
---------------------------------

Hi, Stuart:
According to the weblogic doc: http://docs.oracle.com/cd/E17904_01/web.1111/e13701/web_server.htm#CNFGD216
There are 3 options can be used to prevent DOS attack:
PostTimeoutSecs -- Amount of time that WebLogic Server waits between receiving chunks of data in an HTTP POST.
MaxPostTimeSecs -- Maximum time that WebLogic Server spends receiving post data.
MaxPostSize -- Maximum number of bytes of data received in a POST from a single request.  

>>  I don't know how useful it is at preventing a DOS, as it does not take into account the amount of data that the remote endpoint is sending (e.g. the remote endpoint could sent one byte every 20 seconds, and this will defeat the timeout). 
I think by setting "PostTimeoutSecs" and "MaxPostTimeSecs" properly, it can filter out those requests in your example.
What we want is something similar here, it doesn't necessarily need to be one single option, can be multiple that work together (or handle different scenarios).


You mentioned "This desired effect can be achieved by setting the read-timeout option on the listener."
Are we looking at "Http Connector" section in this doc ? https://docs.jboss.org/author/display/WFLY8/Undertow+%28web%29+subsystem+configuration
Couldn't find anything related to "read-timeout" here, could you give some more info. on this ?
Seems "REQUEST_PARSE_TIMEOUT" in UndertowOptions class ? https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/UndertowOptions.java
How can users setup this ?

Many Thanks

> Need post-timeout for WildFly / Undertow
> ----------------------------------------
>
>                 Key: WFLY-3797
>                 URL: https://issues.jboss.org/browse/WFLY-3797
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Web (Undertow)
>    Affects Versions: 8.1.0.Final
>            Reporter: Lyle Wang
>            Assignee: Stuart Douglas
>
> Is that possible to provide post timeout to prevent DoS ? JBoss AS 7 or WildFly has no such feature/option, but weblogic provides this:
> http://docs.oracle.com/cd/E17904_01/web.1111/e13701/web_server.htm#i1059782
> Currently only "max-post-size" is supported:
> https://docs.jboss.org/author/display/WFLY8/Undertow+%28web%29+subsystem+configuration



--
This message was sent by Atlassian JIRA
(v6.3.8#6338)

More information about the jboss-jira mailing list