[WLS]Preventing POST Denial-of-Service Attacks

[Luke]

Preventing POST Denial-of-Service Attacks

A Denial-of-Service attack is a malicious attempt to overload a server with phony requests. One common type of attack is to send huge amounts of data in an HTTP POST method. You can set three attributes in WebLogic Server that help prevent this type of attack. These attributes are set in the Console, under Servers or Virtual Hosts. If you define these attributes for a virtual host, the values set for the virtual host override those set under Servers.

PostTimeoutSecs

Amount of time that WebLogic Server waits between receiving chunks of data in an HTTP POST.

The default value for PostTimeoutSecs is 30.

MaxPostTimeSecs

Maximum time that WebLogic Server spends receiving post data. If this limit is triggered, a PostTimeoutException is thrown and the following message is sent to the server log:

Post time exceeded MaxPostTimeSecs. The default value for MaxPostTimeSecs is 30.

MaxPostSize

Maximum number of bytes of data received in a POST from a single request. If this limit is triggered, a MaxPostSizeExceeded exception is thrown and the following message is sent to the server log:

POST size exceeded the parameter MaxPostSize. An HTTP error code 413 (Request Entity Too Large) is sent back to the client. If the client is in listening mode, it gets these messages. If the client is not in listening mode, the connection is broken. The default value for MaxPostSize is -1.

 

http://e-docs.bea.com/wls/docs103/config_wls/web_server.html