If a client sends a request in chunks, the server keeps waiting until the complete request is received. This might be misused to initiate an attack on the server wherein a malicious client overwhelms the server by sending multiple requests at the same time. As the server keeps the connection open waiting for the requests to complete, it causes the server to slowdown. Meanwhile, the server will not be able to respond to the legitimate requests, resulting in a denial-of-service.
You can mitigate this issue by using the connectionTimeout attribute. By default, the value of this attribute is set to 60000 (i.e. 60 seconds). If you reduce this value, you can limit the time for which the connection is kept open for each request, and thereby maintain the server in a responsive state, even under denial-of-service attack.
You must perform the following actions to configure the connectionTimeout attribute on the server:
Stop Tomcat.
Navigate to the conf directory for Tomcat, located by default in the following directories:
Linux: /opt/netiq/idm/apps/tomcat/conf/
Windows: C:\NetIQ\idm\apps\tomcat\conf
In a text editor, open the server.xml file from the conf directory.
In the connector configuration, add the connectionTimeout attribute and set a value, as desired. Below is an extract of connector configuration from the server.xml file in which the connectionTimeout is set to 20000.
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8543" />Save the server.xml file.
Start Tomcat.