Tomcat and flood protection

Question

We are using Tomcat 7 for our web application. We provide an XML based API so that our customers can communicate with our server in a machine-to-machine way (no web browser needed). The requests are processed by a servlet.

We need to prevent users from sending too many requests in a row. Some of the services we provide involve polling for results and users may make requests in a loop without any pauses, making dozens of requests per second for nothing.

How can we protect ourselves from being flooded with useless requests? Is there a simple way to block requests at the servlet entry level when there are too many requests originating from the same IP? Is there something built-in Tomcat to deal with this problem?

Answer 1

Apache's mod_evasive or mod_security could cover for your need here. You may consider Cloudflare for more complexly serious attacks that will require hardware protection.

Answer 2

Spring Security has a lot of the features of Apache httpd's mod_security if you want a Java-only solution.

Answer 3

You could code your own.

Starting points for looking at this would be the Servlet API, in particular the Filter interface and the getRemoteHost() method of the SerlvetRequest interface.

Should be easy enough to write a Filter implementation which stores a count of requests from each host and takes action if a limit exceeded.

Answer 4

Assuming that you are using an apache reverse-proxy in front of tomcat (if you aren't you should be), use mod_cband on the apache layer.