Flood protection for Jetty server?

I'm looking for a solution to prevent a Jetty server to be taken down by a DDoS or similar. Currently the servlets will open a new thread for each incomming connections, so 1 mio incomming connections will open 1 mio threads and Jetty will explode.

What's the best way to avoid this thread? I thought about p开发者_开发百科utting an Apache between client and server, since the webserver has the abilities to limit incomming connections from one ip to e.g. 5 connections/second.

What do you think about my idea?

Kind Regards,

Hendrik

Jetty ships with a Quality of Service filter that should do what you want. See http://wiki.eclipse.org/Jetty/Feature/Quality_of_Service_Filter

DosFilter can be used to provide DDoS protection.

To quote the description from the wiki,

The Denial of Service (DoS) filter limits exposure to request flooding, whether malicious, or as a result of a misconfigured client. The DoS filter keeps track of the number of requests from a connection per second. If the requests exceed the limit, Jetty rejects, delays, or throttles the request, and sends a warning message.

To enable you have to include the below in the configuration in the webapp's web.xml or jetty-web.xml

<filter>
   <filter-name>DoSFilter</filter-name>
   <filter-class>org.eclipse.jetty.servlets.DoSFilter</filter-class>
   <init-param>
     <param-name>maxRequestsPerSec</param-name>
     <param-value>30</param-value>
   </init-param>
 </filter>

Check the wiki for customization.

Idea with serving new connections with org.eclipse.jetty.servlets.QoSFilter is good but i rather use typical anti ddos configuration, based on iptables (like in this article: http://blog.bodhizazen.net/linux/prevent-dos-with-iptables/).

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT

In this case ddos protection is separated from app, and is more productive because extra packages will drop before accessing jetty.