Menu
I am new to ODL controller and the embedded jetty. I would like to add the DoSFilter in jetty.xml to throttle the REST requests if there is a request flooding.
I tried searching the internet, but has lot of examples for configuring it in web.xml DoSFilter but not found much help for jetty.xml
Any help in configuring DoSFilter in jetty.xml would be of great help.
ODL - Nitrogen version
Jetty - 9.2.21.X version
The following are the options which I have tried so far.
Filters configured in jetty.xml:
<Get name="handler">
<Call name="addHandler">
<Arg>
<New class="org.eclipse.jetty.servlet.ServletContextHandler">
<Set name="contextPath">/</Set>
<Set name="resourceBase">../</Set>
<Call name="addFilter">
<Arg>
<New class="org.eclipse.jetty.servlet.FilterHolder">
<Arg>
<New class="org.eclipse.jetty.servlets.DoSFilter" />
</Arg>
<Call name="setInitParameter">
<Arg>maxRequestsPerSec</Arg>
<Arg>30</Arg>
</Call>
<Call name="setInitParameter">
<Arg>delayMs</Arg>
<Arg>100</Arg>
</Call>
<Call name="setInitParameter">
<Arg>maxRequestMs</Arg>
<Arg>0</Arg>
</Call>
<Call name="setInitParameter">
<Arg>maxIdleTrackerMs</Arg>
<Arg>0</Arg>
</Call>
<Call name="setInitParameter">
<Arg>ipWhitelist</Arg>
<Arg>127.0.0.1</Arg>
</Call>
</New>
</Arg>
<Arg>/cxf/*</Arg>
<Arg>
<Call class="java.util.EnumSet" name="of">
<Arg>
<Get class="javax.servlet.DispatcherType" name="REQUEST" />
</Arg>
</Call>
</Arg>
</Call>
</New>
</Arg>
</Call>
</Get>
Filters configured in web.xml:
<filter>
<filter-name>DoSFilter</filter-name>
<filter-class>org.eclipse.jetty.servlets.DoSFilter</filter-class>
<init-param>
<param-name>maxRequestsPerSec</param-name>
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>delayMs</param-name>
<param-value>100</param-value>
</init-param>
<init-param>
<param-name>maxRequestMs</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>maxIdleTrackerMs</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>ipWhitelist</param-name>
<param-value>127.0.0.1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>DoSFilter</filter-name>
<url-pattern>/cxf/*</url-pattern>
</filter-mapping>
236
A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.
DoS protection is the main feature for improving network security; it detects the abnormal traffic and filters it. This article explains the configuration of Denial of Service on Security Suite Settings and various techniques used for Denial of Service Prevention.
However, the resulting denial-of-service (DoS) attack may help obfuscate the identity of the attacker and implicate the firewall as the source of the attack. We have taken prompt action to address this issue in our PAN-OS software.
Step 1. Log in to the web configuration utility, and choose Security > Denial of Service Prevention > Security Suite Settings. The Security Suite Settings page opens: Enabled.
Because you are using embedded Jetty you do not need a jetty.xml file, instead you can configure this through API. Here is a code example which configures the DoSFilter with the same settings from your example in an embedded usage.
Server server = new Server();
ServerConnector connector = new ServerConnector(server);
server.addConnector(connector);
ServletContextHandler contextHandler = new ServletContextHandler();
contextHandler.setContextPath("/");
server.setHandler(contextHandler);
DoSFilter filter = new DoSFilter();
filter.setMaxRequestsPerSec(30);
contextHandler.addFilter(new FilterHolder(filter), "/*", EnumSet.of(DispatcherType.REQUEST));
server.start();
server.join();
I would also suggest you update to the latest version of Jetty as jetty-9.2 is End of Life, the latest version is currently jetty-9.4.27.
96
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
