[Geoserver-users] GeoServer 2.11 : Slow HTTP Denial of Service attack

Discussion:

Ian Turton

2017-05-26 15:23:45 UTC

It seems you can easily fix this using any number of servers (
https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks)
but not Jetty which isn't really designed for critical production usage.

However if this is truly critical to your organization there are plenty of
commercial support organisations (http://geoserver.org/support/) who may be
able to help.

All the best

Ian

Hi
I have recently started using GeoServer 2.11
As part of my organisationâs requirement I had run a security scan on the
server and found Slow HTTP Denial of Service attack open.
I tried using DoS filter for jetty as below in webapps/geoserver/web.xml,
however, the issue still persists and I could not find any other way to
mitigate this risk on the geoserver.
Request if you could help me on the ASAP as my urgent release is on a hold
in the absence of fixing this risk.
<filter>
<filter-name>DoSFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.DoSFilter</
filter-class>
<init-param>
<param-name>maxRequestsPerSec</param-name>
<param-value>30</param-value>
<param-name>delayMs</param-name>
<param-value>0</param-value>
<param-name>maxRequestMs</param-name>
<param-value>10000</param-value>
<param-name>maxIdleTrackerMs</param-name>
<param-value>10000</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>DoSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Regards
Himani Aggarwal
============================================================
================================================================
Disclaimer: This message and the information contained herein is
proprietary and confidential and subject to the Tech Mahindra policy
statement, you may review the policy at http://www.techmahindra.com/
Disclaimer.html externally http://tim.techmahindra.com/tim/disclaimer.html
internally within TechMahindra.
============================================================
================================================================
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
Ian Turton

Devin Eyre

2017-05-26 15:15:25 UTC

Permalink

Other than setting the WMS interpolation default to "nearest neighbor", I don't see a way to do this. Within the area that contains data, I do want interpolation to occur. In the past, I've tried using a footprint shapefile, and that did not fix the problem.

[cid:1ce75f06-4cfb-4329-bc60-054ad7bb5303]

I'm using GeoServer version 2.9.2. The data was created by using gdal_translate and gdalwarp to reproject the original file from Lambert Conformal Conic to EPSG:4326 and convert it to Byte type. The no-data value is 255.

Andrea Aime

2017-05-26 15:54:28 UTC

Permalink

Hi Devin,
for higher order interpolations we are still working on fixes. The good
news is that they are basically done,
the bad one is that they are not in any release and not even in nightly
builds yet.
We'll have to:

- release a new version of jai-ext
- make geotools and geoserver depend on it (at this point they will be
in nightly builds and, when the time comes, in releases)
- you'll have to enable jai-ext support in GeoServer (which is
available, but still considered experimental, hopefully that will change in
GeoServer 2.12, in September). See also
http://docs.geoserver.org/stable/en/user/configuration/image_processing/index.html#jai-ext

I believe in a matter of weeks it will be testable out of nightly builds,
but I don't know exactly when

Cheers
Andrea

Post by Devin Eyre
Other than setting the WMS interpolation default to "nearest neighbor", I
don't see a way to do this. Within the area that contains data, I do want
interpolation to occur. In the past, I've tried using a footprint
shapefile, and that did not fix the problem.
I'm using GeoServer version 2.9.2. The data was created
by using gdal_translate and gdalwarp to reproject the original file
from Lambert Conformal Conic to EPSG:4326 and convert it to Byte type. The
no-data value is 255.
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo Ãš consentito esclusivamente al destinatario del messaggio,
per le finalitÃ indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalitÃ diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------