org.eclipse.jetty.servlets
Class DoSFilter

java.lang.Object
  extended by org.eclipse.jetty.servlets.DoSFilter
All Implemented Interfaces:
Filter
Direct Known Subclasses:
CloseableDoSFilter

public class DoSFilter
extends Object
implements Filter

Denial of Service filter

This filter is based on the QoSFilter. it is useful for limiting exposure to abuse from request flooding, whether malicious, or as a result of a misconfigured client.

The filter keeps track of the number of requests from a connection per second. If a limit is exceeded, the request is either rejected, delayed, or throttled.

When a request is throttled, it is placed in a priority queue. Priority is given first to authenticated users and users with an HttpSession, then connections which can be identified by their IP addresses. Connections with no way to identify them are given lowest priority.

The extractUserId(ServletRequest request) function should be implemented, in order to uniquely identify authenticated users.

The following init parameters control the behavior of the filter: maxRequestsPerSec the maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. delayMs is the delay given to all requests over the rate limit, before they are considered at all. -1 means just reject request, 0 means no delay, otherwise it is the delay. maxWaitMs how long to blocking wait for the throttle semaphore. throttledRequests is the number of requests over the rate limit able to be considered at once. throttleMs how long to async wait for semaphore. maxRequestMs how long to allow this request to run. maxIdleTrackerMs how long to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it insertHeaders if true , insert the DoSFilter headers into the response. Defaults to true. trackSessions if true, usage rate is tracked by session if a session exists. Defaults to true. remotePort if true and session tracking is not used, then rate is tracked by IP+port (effectively connection). Defaults to false. ipWhitelist a comma-separated list of IP addresses that will not be rate limited


Field Summary
protected  long _delayMs
           
protected  boolean _insertHeaders
           
protected  long _maxIdleTrackerMs
           
protected  long _maxRequestMs
           
protected  int _maxRequestsPerSec
           
protected  Semaphore _passes
           
protected  Queue<Continuation>[] _queue
           
protected  ConcurrentHashMap<String,org.eclipse.jetty.servlets.DoSFilter.RateTracker> _rateTrackers
           
protected  boolean _remotePort
           
protected  long _throttleMs
           
protected  boolean _trackSessions
           
protected  long _waitMs
           
 
Constructor Summary
DoSFilter()
           
 
Method Summary
protected  void closeConnection(HttpServletRequest request, HttpServletResponse response, Thread thread)
          Takes drastic measures to return this response and stop this thread.
 void destroy()
           
 void doFilter(ServletRequest request, ServletResponse response, FilterChain filterchain)
           
protected  void doFilterChain(FilterChain chain, HttpServletRequest request, HttpServletResponse response)
           
protected  String extractUserId(ServletRequest request)
          Returns the user id, used to track this connection.
protected  int getMaxPriority()
           
protected  int getPriority(ServletRequest request, org.eclipse.jetty.servlets.DoSFilter.RateTracker tracker)
          Get priority for this request, based on user type
 org.eclipse.jetty.servlets.DoSFilter.RateTracker getRateTracker(ServletRequest request)
          Return a request rate tracker associated with this connection; keeps track of this connection's request rate.
 void init(FilterConfig filterConfig)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

_delayMs

protected long _delayMs

_throttleMs

protected long _throttleMs

_waitMs

protected long _waitMs

_maxRequestMs

protected long _maxRequestMs

_maxIdleTrackerMs

protected long _maxIdleTrackerMs

_insertHeaders

protected boolean _insertHeaders

_trackSessions

protected boolean _trackSessions

_remotePort

protected boolean _remotePort

_passes

protected Semaphore _passes

_queue

protected Queue<Continuation>[] _queue

_maxRequestsPerSec

protected int _maxRequestsPerSec

_rateTrackers

protected final ConcurrentHashMap<String,org.eclipse.jetty.servlets.DoSFilter.RateTracker> _rateTrackers
Constructor Detail

DoSFilter

public DoSFilter()
Method Detail

init

public void init(FilterConfig filterConfig)
Specified by:
init in interface Filter

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain filterchain)
              throws IOException,
                     ServletException
Specified by:
doFilter in interface Filter
Throws:
IOException
ServletException

doFilterChain

protected void doFilterChain(FilterChain chain,
                             HttpServletRequest request,
                             HttpServletResponse response)
                      throws IOException,
                             ServletException
Parameters:
chain -
request -
response -
Throws:
IOException
ServletException

closeConnection

protected void closeConnection(HttpServletRequest request,
                               HttpServletResponse response,
                               Thread thread)
Takes drastic measures to return this response and stop this thread. Due to the way the connection is interrupted, may return mixed up headers.

Parameters:
request - current request
response - current response, which must be stopped
thread - the handling thread

getPriority

protected int getPriority(ServletRequest request,
                          org.eclipse.jetty.servlets.DoSFilter.RateTracker tracker)
Get priority for this request, based on user type

Parameters:
request -
tracker -
Returns:
priority

getMaxPriority

protected int getMaxPriority()
Returns:
the maximum priority that we can assign to a request

getRateTracker

public org.eclipse.jetty.servlets.DoSFilter.RateTracker getRateTracker(ServletRequest request)
Return a request rate tracker associated with this connection; keeps track of this connection's request rate. If this is not the first request from this connection, return the existing object with the stored stats. If it is the first request, then create a new request tracker. Assumes that each connection has an identifying characteristic, and goes through them in order, taking the first that matches: user id (logged in), session id, client IP address. Unidentifiable connections are lumped into one. When a session expires, its rate tracker is automatically deleted.

Parameters:
request -
Returns:
the request rate tracker for the current connection

destroy

public void destroy()
Specified by:
destroy in interface Filter

extractUserId

protected String extractUserId(ServletRequest request)
Returns the user id, used to track this connection. This SHOULD be overridden by subclasses.

Parameters:
request -
Returns:
a unique user id, if logged in; otherwise null.


Copyright © 1995-2009 Mort Bay Consulting. All Rights Reserved.