---
id: 57e772c3-156a-4df5-b4b4-bd42c5763fbf
---

# DoS Attack on Tomcat Server
---

A DoS (Denial of Service) attack on a Tomcat server occurs when attackers flood the server with an overwhelming amount of traffic, causing the server to become unresponsive and unable to handle legitimate requests. This attack results in service disruptions, making the server unavailable to users. The goal of the DoS attack is to make the targeted service unavailable to its users, causing inconvenience or financial losses to the organization that operates the server.

### Parameters
```shell
export TOMCAT_PORT="PLACEHOLDER"

export NETWORK_INTERFACE="PLACEHOLDER"

export IP_ADDRESS="PLACEHOLDER"

export BLOCK_DURATION_SECONDS="PLACEHOLDER"
```

## Debug

### Check if Tomcat service is running
```shell
systemctl status tomcat
```

### Check if Tomcat is listening on the expected port
```shell
netstat -tulnp | grep ${TOMCAT_PORT}
```

### Check the current active connections to Tomcat
```shell
netstat -ant | grep ${TOMCAT_PORT} | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
```

### Check the server's resource utilization (CPU, memory, disk, network)
```shell
top
```

### Check if there are any firewall rules blocking traffic to Tomcat
```shell
iptables -L -n | grep ${TOMCAT_PORT}
```

### Check the server's network traffic
```shell
tcpdump -i ${NETWORK_INTERFACE} port ${TOMCAT_PORT}
```

### Check if there are any other services consuming too much resources
```shell
ps aux | sort -rk 3,3 | head -n 10
```

## Repair

### Identify the source of the DoS attack and block the IP address or range.
```shell
bash

#!/bin/bash

# Define variables

IP_ADDRESS=${IP_ADDRESS}

BLOCK_DURATION=${BLOCK_DURATION_SECONDS}

# Block IP address

iptables -A INPUT -s $IP_ADDRESS -j DROP

# Unblock IP address after specified duration

(sleep $BLOCK_DURATION && iptables -D INPUT -s $IP_ADDRESS -j DROP) &

```

A DoS (Denial of Service) attack on a Tomcat server occurs when attackers flood the server with an overwhelming amount of traffic, causing the server to become unresponsive and unable to handle legitimate requests. This attack results in service disruptions, making the server unavailable to users. The goal of the DoS attack is to make the targeted service unavailable to its users, causing inconvenience or financial losses to the organization that operates the server.


When too many requests are sent to a Tomcat server, the thread pools that handle these requests can run out of available threads. This means that incoming requests will not be processed, leading to service degradation or even a complete outage. This incident type is critical for web applications that rely on Tomcat as their application server.


Tomcat thread pool exhaustion.

Tomcat Server Crash incident type refers to a situation where the Tomcat Server, an open-source web server and servlet container, becomes unresponsive and stops functioning. This can result in a complete or partial system outage, leading to a disruption in the delivery of web applications and services. The root cause of the crash can be attributed to a variety of factors such as misconfiguration, network or hardware issues, software bugs, or excessive server load. It is critical to address this incident quickly to minimize the impact on users and restore normal system functionality.


Tomcat Server Crash

This incident type is related to the Tomcat server, which is a popular open-source Java application server. It occurs when the available threads in the connection pool are running low, which means that there are not enough resources to serve incoming requests. This can cause delays or even failures in the application's performance, impacting the end-user experience. It is important to monitor and address this issue promptly to ensure that the application runs smoothly and efficiently.


Tomcat Low Available Threads in Connection Pool

In software engineering, a large number of suspended threads in Tomcat is an incident type that occurs when a high number of threads are created but are blocked from executing. This can happen due to a variety of reasons, such as slow database queries, network latency, or resource contention. When this occurs, the system may become unresponsive or slow, causing a degradation in performance or even a complete system failure. It is important to investigate and resolve this issue as quickly as possible to ensure the system can continue to function properly.


Tomcat Large Number of Suspended Threads Incident.

Tomcat JVM OutOfMemory incident occurs when the Java Virtual Machine (JVM) running the Apache Tomcat server runs out of memory, which causes the server to crash or become unresponsive. This type of incident can happen due to a variety of reasons such as incorrect configuration settings, memory leaks, or insufficient memory allocation. When this incident occurs, it can impact the availability and performance of the web application running on the Tomcat server.


Tomcat JVM OutOfMemory Incident

```shell
export TOMCAT_PORT="PLACEHOLDER"

export NETWORK_INTERFACE="PLACEHOLDER"

export IP_ADDRESS="PLACEHOLDER"

export BLOCK_DURATION_SECONDS="PLACEHOLDER"
```


### Check if Tomcat service is running

```shell
systemctl status tomcat
```

### Check if Tomcat is listening on the expected port

```shell
netstat -tulnp | grep ${TOMCAT_PORT}
```

### Check the current active connections to Tomcat

```shell
netstat -ant | grep ${TOMCAT_PORT} | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
```

### Check the server's resource utilization (CPU, memory, disk, network)

```shell
top
```

### Check if there are any firewall rules blocking traffic to Tomcat

```shell
iptables -L -n | grep ${TOMCAT_PORT}
```

### Check the server's network traffic

```shell
tcpdump -i ${NETWORK_INTERFACE} port ${TOMCAT_PORT}
```

### Check if there are any other services consuming too much resources

```shell
ps aux | sort -rk 3,3 | head -n 10
```


### Identify the source of the DoS attack and block the IP address or range.

```shell
bash

#!/bin/bash

# Define variables

IP_ADDRESS=${IP_ADDRESS}

BLOCK_DURATION=${BLOCK_DURATION_SECONDS}

# Block IP address

iptables -A INPUT -s $IP_ADDRESS -j DROP

# Unblock IP address after specified duration

(sleep $BLOCK_DURATION && iptables -D INPUT -s $IP_ADDRESS -j DROP) &

```


DoS Attack on Tomcat Server

Overview

Parameters

Debug

Check if Tomcat service is running

Check if Tomcat is listening on the expected port

Check the current active connections to Tomcat

Check the server's resource utilization (CPU, memory, disk, network)

Check if there are any firewall rules blocking traffic to Tomcat

Check the server's network traffic

Check if there are any other services consuming too much resources

Repair

Identify the source of the DoS attack and block the IP address or range.

Learn more

Related Runbooks

Tomcat thread pool exhaustion.

Tomcat Server Crash

Tomcat Low Available Threads in Connection Pool

Tomcat Large Number of Suspended Threads Incident.

Support