Discussion:
Tomcat with half open tcp sockets
Alex O'Ree
2018-09-29 12:31:35 UTC
Permalink
Does tomcat detect or mitigate against half open tcp connections? I
recently ran into an issue where something in between a java jaxws client
and a jaxws service running in tomcat is interfering with the tcp stream.
Resolving this client side has been a challenge due the transmitting thread
hanging forever waiting to read from the remote server and not being able
to be interrupted or aborted. While troubleshooting this, it dawned on me
that services running in tomcat may run into a similar problem and was
wondering if tomcat has any safe guards for this scenario. If it does, what
is the strategy used? I'm thinking maybe I can something similar client
side.
Christopher Schultz
2018-10-02 17:44:11 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alex,
Post by Alex O'Ree
Does tomcat detect or mitigate against half open tcp connections?
Not directly. Basically, that's the OS's job.
Post by Alex O'Ree
I recently ran into an issue where something in between a java
jaxws client and a jaxws service running in tomcat is interfering
with the tcp stream. Resolving this client side has been a
challenge due the transmitting thread hanging forever waiting to
read from the remote server and not being able to be interrupted or
aborted. While troubleshooting this, it dawned on me that services
running in tomcat may run into a similar problem and was wondering
if tomcat has any safe guards for this scenario. If it does, what
is the strategy used? I'm thinking maybe I can something similar
client side.
In these cases, the only option the server has is to close the
connection and then let the TCP stack purge the connection after some
time in the penalty box (FIN_WAIT, FIN_WAIT2, or TIME_WAIT).

If you see these kinds of connections piling-up, you may want to tweak
the options of your TCP stack to have them cleared-out more quickly.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzrmsACgkQHPApP6U8
pFh2rg//cX7UAqis6qKHTDpgOSSBjFIusm7kdxW58/VpWcp/JzUfNhFLLl0aeCsT
NbU38l0W0UqYXTCu0sMuPCKGLGYpwuAOCuWq6mJq4VFWtUCyBmCP/A2pvtTzW8js
f4e0npXpp/3TxdDx9xNpLfWDv6nzqyzEXhIvfWvjtxNmcA1kGq2ueeHgVCWwb6v0
CJ1VbF52R3B8Gq61u86uV8PPTsUKVIDnn+e+snkLlGMl+lcdBUcGBsxguOaoDHca
lRN4gkpXjk946Nor7wPkMG4hUBndD7L/nhWNqrqZnd8TKJJxD+98U419LRFq0xSG
qyAx75oNUUwo2l14q/xGTdAGwOzijfOyvnVscljV9fWGEtOMjOFoqPFlHK6QCec7
ysZGuSoEJPuBYfFzdnQE4aOiRNYnAkYAmv6CEq/o0DEgZpuxm/ZAaMzrfP6XH8wk
072o62Cq0gN50q2KYSi7XJD61Akh4nJUl/7XSYKFU8Tj+jHYQBdw22EXEsgrhPuW
gyTdH4TxHv40NmMOv9YQXOA0oyiXq/PXGA85gIhQyJdFoa4U8LXC++UBJCk3gNW8
pOO2pFSJ8WAfOrK45Fcl/NgK4066BSqaQu6txnb/Bo/7VCPrPZvZ2/VgLaO/L6jD
nb8sXBkozGtrS2sigKHx7HzJNb0r5EE1Uqbpk3YFYcntrl4afHs=
=yRjT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Alex O'Ree
2018-10-04 00:25:27 UTC
Permalink
Thanks Chris. I ended up using aggressive read timeout values on the Web
service clients by adding properties to the binding provider. Thing is,
every jre version and soap attacks use different versions which made this
much harder to track down.


On Tue, Oct 2, 2018, 1:44 PM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alex,
Post by Alex O'Ree
Does tomcat detect or mitigate against half open tcp connections?
Not directly. Basically, that's the OS's job.
Post by Alex O'Ree
I recently ran into an issue where something in between a java
jaxws client and a jaxws service running in tomcat is interfering
with the tcp stream. Resolving this client side has been a
challenge due the transmitting thread hanging forever waiting to
read from the remote server and not being able to be interrupted or
aborted. While troubleshooting this, it dawned on me that services
running in tomcat may run into a similar problem and was wondering
if tomcat has any safe guards for this scenario. If it does, what
is the strategy used? I'm thinking maybe I can something similar
client side.
In these cases, the only option the server has is to close the
connection and then let the TCP stack purge the connection after some
time in the penalty box (FIN_WAIT, FIN_WAIT2, or TIME_WAIT).
If you see these kinds of connections piling-up, you may want to tweak
the options of your TCP stack to have them cleared-out more quickly.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluzrmsACgkQHPApP6U8
pFh2rg//cX7UAqis6qKHTDpgOSSBjFIusm7kdxW58/VpWcp/JzUfNhFLLl0aeCsT
NbU38l0W0UqYXTCu0sMuPCKGLGYpwuAOCuWq6mJq4VFWtUCyBmCP/A2pvtTzW8js
f4e0npXpp/3TxdDx9xNpLfWDv6nzqyzEXhIvfWvjtxNmcA1kGq2ueeHgVCWwb6v0
CJ1VbF52R3B8Gq61u86uV8PPTsUKVIDnn+e+snkLlGMl+lcdBUcGBsxguOaoDHca
lRN4gkpXjk946Nor7wPkMG4hUBndD7L/nhWNqrqZnd8TKJJxD+98U419LRFq0xSG
qyAx75oNUUwo2l14q/xGTdAGwOzijfOyvnVscljV9fWGEtOMjOFoqPFlHK6QCec7
ysZGuSoEJPuBYfFzdnQE4aOiRNYnAkYAmv6CEq/o0DEgZpuxm/ZAaMzrfP6XH8wk
072o62Cq0gN50q2KYSi7XJD61Akh4nJUl/7XSYKFU8Tj+jHYQBdw22EXEsgrhPuW
gyTdH4TxHv40NmMOv9YQXOA0oyiXq/PXGA85gIhQyJdFoa4U8LXC++UBJCk3gNW8
pOO2pFSJ8WAfOrK45Fcl/NgK4066BSqaQu6txnb/Bo/7VCPrPZvZ2/VgLaO/L6jD
nb8sXBkozGtrS2sigKHx7HzJNb0r5EE1Uqbpk3YFYcntrl4afHs=
=yRjT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
Christopher Schultz
2018-10-04 16:57:18 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alex,
Post by Alex O'Ree
Thanks Chris. I ended up using aggressive read timeout values on
the Web service clients by adding properties to the binding
provider. Thing is, every jre version and soap attacks use
different versions which made this much harder to track down.
SOAP attacks?

FWIW, all clients should always be specifying sane timeout values.
Most programmers are lazy, though, and leave them to the default
(which is almost always "infinite").

- -chris
Post by Alex O'Ree
On Tue, Oct 2, 2018, 1:44 PM Christopher Schultz <
Alex,
Post by Christopher Schultz
Post by Alex O'Ree
Does tomcat detect or mitigate against half open tcp
connections?
Not directly. Basically, that's the OS's job.
Post by Christopher Schultz
Post by Alex O'Ree
I recently ran into an issue where something in between a
java jaxws client and a jaxws service running in tomcat is
interfering with the tcp stream. Resolving this client side
has been a challenge due the transmitting thread hanging
forever waiting to read from the remote server and not being
able to be interrupted or aborted. While troubleshooting
this, it dawned on me that services running in tomcat may run
into a similar problem and was wondering if tomcat has any
safe guards for this scenario. If it does, what is the
strategy used? I'm thinking maybe I can something similar
client side.
In these cases, the only option the server has is to close the
connection and then let the TCP stack purge the connection after
some time in the penalty box (FIN_WAIT, FIN_WAIT2, or TIME_WAIT).
If you see these kinds of connections piling-up, you may want to
tweak the options of your TCP stack to have them cleared-out more
quickly.
-chris
Post by Christopher Schultz
---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu2Rm0ACgkQHPApP6U8
pFirFxAAwDR7FwEYsLMM8iTy5Kl9dmguVDpJPkXKvw8ar3Djrk7/K1SPVodv7AWV
2+UqnZvFmDQ9LB9LRKuZc1fqeZsrxltVnJcjSRyIpJQAyWF9D3chNY6h5OYDCi9k
zuoN6naTcGNzmCTLDhoCNsAOO/u4PP24tBXLWqsXGtViuTHXA3DxjHo26PLfcZPT
WrhXyfG8o0eOWZ0vfsCbHzjOeyoVspJl5WIqtT4rszAoZnlUmYsSmjQrmZIJsc0l
TRqHDEZImAbORKiMAt5eTHTnoYN8B6Onp7zhDverCD8vCJS+RabxpXxI/0FH8Y10
BNKxaNltFfTaqBhWcbcWnO6aKKauLonECjINOEd1Ad0eac0YrkKKBnIIJ6+CTzgh
k1fVF8eev5s1mGydEaI7zUrvXh4iU6kH6E75GIZF1Mk2xbXZRIEXjcQNF4XvxjPz
paQh229ozs0Ul8iyNzRhvr/fuPiVmxrKzXLhEZWDiVcZ946G34a5hfkDv6jSevMr
CnElgmlZ1VwxCzhyiM6EJuoO+pTgj0dOg569xPEhhMtrXyhVtLFFa08IbQFTxLv7
BYgoQeD8KA8Yxgn0orBBcvP34DAPAw3YZl6FxZ9pxL8X6h+h4fHhqYeHtpMUAqEp
flwUmO8EW/xgHJF58dihGN0sY2lJD8p5XFsWC30i2LJNE+wd2lU=
=K14S
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Alex O'Ree
2018-10-04 19:37:28 UTC
Permalink
Sorry, mobile typo. Soap stack, as in cxf, axis, sun jaxws ri

On Thu, Oct 4, 2018, 12:57 PM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alex,
Post by Alex O'Ree
Thanks Chris. I ended up using aggressive read timeout values on
the Web service clients by adding properties to the binding
provider. Thing is, every jre version and soap attacks use
different versions which made this much harder to track down.
SOAP attacks?
FWIW, all clients should always be specifying sane timeout values.
Most programmers are lazy, though, and leave them to the default
(which is almost always "infinite").
- -chris
Post by Alex O'Ree
On Tue, Oct 2, 2018, 1:44 PM Christopher Schultz <
Alex,
Post by Christopher Schultz
Post by Alex O'Ree
Does tomcat detect or mitigate against half open tcp
connections?
Not directly. Basically, that's the OS's job.
Post by Christopher Schultz
Post by Alex O'Ree
I recently ran into an issue where something in between a
java jaxws client and a jaxws service running in tomcat is
interfering with the tcp stream. Resolving this client side
has been a challenge due the transmitting thread hanging
forever waiting to read from the remote server and not being
able to be interrupted or aborted. While troubleshooting
this, it dawned on me that services running in tomcat may run
into a similar problem and was wondering if tomcat has any
safe guards for this scenario. If it does, what is the
strategy used? I'm thinking maybe I can something similar
client side.
In these cases, the only option the server has is to close the
connection and then let the TCP stack purge the connection after
some time in the penalty box (FIN_WAIT, FIN_WAIT2, or TIME_WAIT).
If you see these kinds of connections piling-up, you may want to
tweak the options of your TCP stack to have them cleared-out more
quickly.
-chris
Post by Christopher Schultz
---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu2Rm0ACgkQHPApP6U8
pFirFxAAwDR7FwEYsLMM8iTy5Kl9dmguVDpJPkXKvw8ar3Djrk7/K1SPVodv7AWV
2+UqnZvFmDQ9LB9LRKuZc1fqeZsrxltVnJcjSRyIpJQAyWF9D3chNY6h5OYDCi9k
zuoN6naTcGNzmCTLDhoCNsAOO/u4PP24tBXLWqsXGtViuTHXA3DxjHo26PLfcZPT
WrhXyfG8o0eOWZ0vfsCbHzjOeyoVspJl5WIqtT4rszAoZnlUmYsSmjQrmZIJsc0l
TRqHDEZImAbORKiMAt5eTHTnoYN8B6Onp7zhDverCD8vCJS+RabxpXxI/0FH8Y10
BNKxaNltFfTaqBhWcbcWnO6aKKauLonECjINOEd1Ad0eac0YrkKKBnIIJ6+CTzgh
k1fVF8eev5s1mGydEaI7zUrvXh4iU6kH6E75GIZF1Mk2xbXZRIEXjcQNF4XvxjPz
paQh229ozs0Ul8iyNzRhvr/fuPiVmxrKzXLhEZWDiVcZ946G34a5hfkDv6jSevMr
CnElgmlZ1VwxCzhyiM6EJuoO+pTgj0dOg569xPEhhMtrXyhVtLFFa08IbQFTxLv7
BYgoQeD8KA8Yxgn0orBBcvP34DAPAw3YZl6FxZ9pxL8X6h+h4fHhqYeHtpMUAqEp
flwUmO8EW/xgHJF58dihGN0sY2lJD8p5XFsWC30i2LJNE+wd2lU=
=K14S
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
Loading...