I noticed the following very easy way to have a denial of service one a standalone web app.
If you just make a software to open multiple connections to web server without sending any data, just make a connection,
in a few seconds you will have a denial of service.
Is this normal or am I missing something ?
I think it is the standard way to do a DoS to any Web Server.
I think it would be nice at least to have some kind of access to “idle” sockets in order to prevent this from happening.
The thing is that we can’t tell if any of those socket connections will always be idle. It could be that the connection is just slow.
If you are concerned about a particular client making too many connections, you should configure your firewall to prevent that. It will be faster and less CPU intensive than anything we could do.
But remember that because of NAT you can’t rely on the ip address to determine multiple connections to a single client. There could be hundreds or thousands of users behind a corporate or university firewall that will all have the same public ip address. You will need to use cookies to enforce some kind of restriction on the number of connections, which means doing this at the web server or web app level.
I’d never recommend putting a standalone web app directly on the public internet. It’s great for easily dropping in on an intranet (and that’s why it exists)- but it isn’t made as a full time, public web server. There are plenty of web server projects (Apache, Nginx, Lighttpd, etc) dedicated to handling all kinds of issues you run into on the public internet. You’re going to want to run even standalone instances behind a server (as a reverse proxy) like the above which are built to take care of those issues- like idle connections- and many more…
It is obvious I am not exprerienced in web developent.
I will implement your suggestions.
Thank you for your answers.