HTTP Flood on Tomcat server causing issues
I am getting hit with small HTTP floods on my apache server running port 80 which is proxying tomcat on port 8080.
Now what is happening is this is causing tomcat to create 100s - 1000s of sessions depending on how many clients get passed the cloudflare firewall(s) and my server ones (I have libapache2-mod-qos installed for my Apache server).
IPTABLES:
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min \
--hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
example: 
Now this is causing major issues for me and if someone could help shed some light on how to get around this I would be greatful.
mod-qos conf:
<IfModule qos_module>
# handle connections from up to 100000 different IPs
QS_ClientEntries 100000
# allow only 50 connections per IP
QS_SrvMaxConnPerIP 10
# limit maximum number of active TCP connections limited to 256
MaxClients 256
# disables keep-alive when 180 (70%) TCP connections are occupied
QS_SrvMaxConnClose 180
# minimum request/response speed
# (deny slow clients blocking the server, keeping connections open without requesting anything
QS_SrvMinDataRate 150 1200
</IfModule>
As far as you know is this legitimate traffic and not part of a DOS / DDOS? I assume with cloudflare involved it is not however if so then it is best to have an IPS inspect the traffic at an application level and to deny it based on a matching attack signature.
If ligitmate then you will need to assess how the tomcat application is operating based on its code and logs being produced.
Maybe the Tomcat application is requiring the clients to send this data inbound.
- AH10411 error: Spaces and %20 result in 403 Forbidden with Apache mod_rewrite
- $_SERVER['HTTP_HOST'] not set
- Apache .htaccess vs httpd - does it really matter?
- Why is my image not displaying on my Web page?
- Apache RewriteMap syntax for full URLs
- TYPO3 v13: Backend login after first install responds with 404
- XAMPP installation on Win 8.1 with UAC Warning
- How to remove autostart of apache on macosx
- 404 Not Found The requested URL was not found on this server
- Java client + Apache HTTP server + GZIP Compression/Decompression
- Best way to perform a GET request without any other libraries
- error AH00558: httpd: Could not reliably determine the server's fully qualified domain name
- PHP / Apache / Node / Puppeteer - Error: Failed to launch the browser process
- UTF-8 all the way through
- Certbot unable to locate environment variable credentials
- How to get visitors remote IP behind a load balancer and Cloudflare and have the remote IP also available to Apache
- Hosting subfolders on different domains
- SVN error running context: An existing connection was forcibly closed by the remote host
- How to Redirect a Directory, its Files & Subdirectories to Another using htaccess
- Docker CentOS image does not auto start httpd
- How to solve "Error: Apache shutdown unexpectedly"?
- Setting up SSL on a local xampp/apache server
- Django app spam prevention
- How can I let a user download multiple files when a button is clicked?
- "The machine with the name 'c6401' was not found configured for this Vagrant environment." Error
- ERR_ABORTED 404 - Django - Static Files
- httpd: could not log pid to file /usr/local/apache2/logs/httpd.pid
- Why couldn't I add mod_proxy.c in Apache?
- PHP request output taking a very long time to be received
- XHR doesn't work because "Origin is not allowed by Access-Control-Allow-Origin"