Menu
Flood Attack: In short, a hacker can keep hitting the server (without cookie) to force Java container to keep creating new session.
I am using Spring Security to manage session. I realize jsessionid keep being created before login, this is not what I want.
So I did:
1) in Spring security config:
sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
2) disable session creation in jsp. Because I am using apache tile, due to it is using dynamic include, so I have to disable session creation in all the jsp fragment. This is very tedious.
<%@page session="false"%>
First glance, it is fine, but there is a scenario I still got the session created.
Let's say before login, I visit a url that only can be visited after authenticated, Spring will redirect me to login page.
Before I am redirected, the response already instruct to set a new cookie, a session already created.
My Question:
1) Is session flood attack a serious issue? Should I really take care of it?
2) Is there any better way to handle this issue? Any best practise?
3) What happen to my code? It should work actually, I suspect the cookie is created by Spring, although I already set it to SessionCreationPolicy.NEVER. I can't set it to Stateless, I still need the session after login.
I am more concerned session attack compare to DDOS actually, I have also set .maximumSessions(1) in Spring to prevent multiple login. But above issue happen before login. Please help. Thanks.
469
HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application.
How to Mitigate and Prevent an ICMP Flood DDoS Attack? Preventing an ICMP flood DDoS attack can be accomplished by disabling the ICMP functionality of the targeted router, computer or other device. By setting your perimeter firewall to block pings, you can effectively prevent attacks launched from outside your network.
ISPs can detect and filter out potential DDoS packets before they reach your border, preventing such attacks from consuming all of your available bandwidth. Unfortunately, while ISP partnerships are effective, there is no silver bullet for guarding against DDoS attacks.
Your point looks valid, it probably can be a serious issue if not handled. I found there is already an open issue on this topic. But there is a work around available to control this behavior.
public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
public HttpSessionRequestCache getHttpSessionRequestCache() {
HttpSessionRequestCache httpSessionRequestCache = new HttpSessionRequestCache();
httpSessionRequestCache.setCreateSessionAllowed(false);
return httpSessionRequestCache;
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.requestCache().requestCache(getHttpSessionRequestCache());
}
Refer following links for more details.
https://github.com/spring-projects/spring-security/issues/4242
How to stop Spring Security from creating a new session?
63
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
