Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent HTTP session flood attack

Flood Attack: In short, a hacker can keep hitting the server (without cookie) to force Java container to keep creating new session.

I am using Spring Security to manage session. I realize jsessionid keep being created before login, this is not what I want.

So I did:

1) in Spring security config:

sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)

2) disable session creation in jsp. Because I am using apache tile, due to it is using dynamic include, so I have to disable session creation in all the jsp fragment. This is very tedious.

<%@page session="false"%>

First glance, it is fine, but there is a scenario I still got the session created.

Let's say before login, I visit a url that only can be visited after authenticated, Spring will redirect me to login page.

Before I am redirected, the response already instruct to set a new cookie, a session already created.

My Question:

1) Is session flood attack a serious issue? Should I really take care of it?

2) Is there any better way to handle this issue? Any best practise?

3) What happen to my code? It should work actually, I suspect the cookie is created by Spring, although I already set it to SessionCreationPolicy.NEVER. I can't set it to Stateless, I still need the session after login.

I am more concerned session attack compare to DDOS actually, I have also set .maximumSessions(1) in Spring to prevent multiple login. But above issue happen before login. Please help. Thanks.

like image 469
Sam YC Avatar asked Oct 11 '17 07:10

Sam YC


People also ask

What is HTTP GET flood attack?

HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application.

How could they have prevented their system from being targeted by your ICMP flooding attack?

How to Mitigate and Prevent an ICMP Flood DDoS Attack? Preventing an ICMP flood DDoS attack can be accomplished by disabling the ICMP functionality of the targeted router, computer or other device. By setting your perimeter firewall to block pings, you can effectively prevent attacks launched from outside your network.

Can DDoS attacks be prevented?

ISPs can detect and filter out potential DDoS packets before they reach your border, preventing such attacks from consuming all of your available bandwidth. Unfortunately, while ISP partnerships are effective, there is no silver bullet for guarding against DDoS attacks.


1 Answers

Your point looks valid, it probably can be a serious issue if not handled. I found there is already an open issue on this topic. But there is a work around available to control this behavior.

public class ApiSecurityConfig extends WebSecurityConfigurerAdapter {
        public HttpSessionRequestCache getHttpSessionRequestCache() {
            HttpSessionRequestCache httpSessionRequestCache = new HttpSessionRequestCache();
            httpSessionRequestCache.setCreateSessionAllowed(false);
            return httpSessionRequestCache;
        }

        @Override
        protected void configure(final HttpSecurity http) throws Exception {
            http.requestCache().requestCache(getHttpSessionRequestCache());
}

Refer following links for more details.

https://github.com/spring-projects/spring-security/issues/4242

How to stop Spring Security from creating a new session?

like image 63
vsoni Avatar answered Oct 30 '22 14:10

vsoni