0

我已经搜索了很多,但仍然不明白使用 Grizzly 是否意味着我可以免受这些攻击,或者我应该做更多的努力?

目前,我在我的程序中唯一要做的就是通过以下代码将我的资源类(由 @Path 注释 - 我正在使用 Jersey)部署到灰熊:

final Map<String, String> initParams = new HashMap<String, String>();
initParams.put("com.sun.jersey.config.property.packages","MyServer.resources");
SelectorThread threadSelector;
try{
    threadSelector = GrizzlyWebContainerFactory.create(
 uri, initParams);
    System.out.println("Press enter to stop server...");
    System.in.read();
    threadSelector.stopEndpoint();
}catch(...){...}

在我的资源方法中,我可以访问一个 JAXB bean 列表,我没有为其指定任何大小(我不知道此时是否可以检查大小以避免收到大量请求 - 如果可能的话,如果有人告诉我,这将是一个很大的帮助!),所以,我担心攻击者可能会发送连续的大请求(我的正常请求大小应该小于 6 个 bean!)并导致拒绝服务 - 我我刚刚开始学习安全风险并处理它们,我的第一次尝试!

我将在请求处理程序方法的主体中检查大小,这是在服务器完全接收到请求之后。够了吗?

Grizzly 文档说它具有良好的缓冲区管理(我可能将缓冲区溢出与拒绝服务混合在一起),但我不知道是否应该设置任何设置或者默认保护?

编辑:

我的部分问题得到了很好的回答,但是,我仍在寻找一些提示,特别是关于灰熊或球衣的提示,以及是否有一个单一的入口点可以对所有传入的请求进行一些检查?

谢谢!

4

1 回答 1

2

If you are using Java you are pretty much immune from classic buffer overrun attacks, unless you are using native code libraries to process stuff you get from the net.

On the other hand, protecting yourself from denial of service attacks tends to require a whole-of-system approach.

EDIT

By "whole of system" approach, I mean one that takes account of the impact on your network bandwidth, infrastructure and back-end servers as well as just your web server. For instance, an attack directed at your network bandwith or DNS can take you off the air irrespectively of how you implement your webserver. At the other end, someone could target aspects of your web application; e.g. knowledge that a particular query is very expensive ... or that it leaks resources and eventually crashes your application.

(I'm not an expert on this. I'm just trying to point out that just looking at your web server platform is not sufficient ... if you really care about defending against DDoS.)

于 2010-12-14T03:03:10.610 回答