Comments (5)
Using a Executors would be a nice extension, anyone in for a pull request?
from nanohttpd.
You only have 1 thread per session, and each session is bound to a socket, so in the current TCP/IP stack that means a hard limit of 65,536 "worker" threads.
AFAIK modern hardware and operating systems can handle that pretty well although probably slow.
When people talk about DDoS it seems to me they're just pulling out a fancy buzzword to mean flood attacks (and I don't mean you are doing it). Let's leave DDoS alone, it's not something everyone can pull off, it requires botnets and more-illegal-than-usual tricks you won't see script kiddies using. But let's talk about DoS. There are several forms of Denial of Service, among them Flooding and Slow Loris (my personal favorite). Slow Loris works a bit like Flooding, except instead of attempting to overload a server with data you abuse the Keep-Alive to lock as many ports / worker threads on the server as possible, which requires a lot less power because you can just send a single byte every 5 minutes to keep a socket alive and busy. While it may take some serious bandwidth or processing power to flood a server, if you lower the amount of workers it becomes a lot easier. If you were to lower the amount of threads to a hardcoded 50, any kid with a low-cost Android phone can lock the whole server down with a Slow Loris DoS attack.
And what I mean with this is, we should allow a limit to the amount of threads, but let the server administrator define how many. It's up to whoever is running NanoHTTPD to decide how many resources they want to sink into the server before it locks down. 25 or 50 threads seems like a decent limit on an Android phone, but if I were running NanoHTTPD in a beefy dedicated server I'd rather sink everything I've got into it until the server dies in a huge flood than allow any kid with a smartphone to DoS my application because I'm running on a 50 thread limit.
from nanohttpd.
I think it is the easiest to introduce the the thread pool in the refactored code. Or should we move this to 3.1.0?
from nanohttpd.
You can change it at any point, I don't think it will have a significant impact on the code structure.
Using a thread pool seems like a great idea as it increases efficiency a lot... BUT it also leaves you vulnerable to Slow Loris and similar attacks unless you have more than one pool or some kind of security system that checks and categorizes request, which would be complex and a massive overhead.
This will invariably turn into a security vs efficiency debate.
from nanohttpd.
Yes, lets keep it simple and dynamic. I will introduce something simple like
startInThread(Runnable)
and the default just creates a thread. Subclasses can just use ThreadPools if they want to.
from nanohttpd.
Related Issues (20)
- Can't set response status HOT 1
- postData still contains the chunksize HOT 1
- nanohttpd Android: how to run a complex website on local server? HOT 2
- [SECURITY] Vulnerability in nanohttpd
- an infinite loop bug
- collides with a type
- Broken pipe HOT 2
- When can I fix a known problem
- addHeader doesn't have additive behavior
- multiple request headers with same name aren't preserved
- server is overly opinionated about what is a valid HTTP verb
- How to stream a page instead of building entire strings and delivering them
- Could not find com.github.edrlab.nanohttpd:nanohttpd:master-SNAPSHOT HOT 1
- BAD REQUEST: Missing URI. Usage: GET /example/file.html HOT 1
- 使用它有没有什么限制? HOT 2
- how can access from out of app?
- Use it as a WebServer, but close the client after client connect
- Unable to use the latest version in Android
- 希望可以重载HTTPSession 修改BUFSIZE HOT 1
- I need to get the progress of file upload on server side. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nanohttpd.