Jetty - capping sessions for crawlers/anonymous

Question

I'm looking for a way of capping number of sessions created for crawlers and/or anonymous users on my webapp (running on Jetty). I want to decrease number of sessions on the app. There are multiple sessions created for crawlers as many of them do not respect cookies. That would also help when app gets under DDoS.

There is already a solution for tomcat ( 'crawler session valve') but I need solution for Jetty.

What would be your recommendation on capping unwanted sessions?

Thanks, JB

Answer 1

Use the Jetty DoS Filter:

"The Denial of Service (DoS) filter limits exposure to request flooding, whether malicious, or as a result of a misconfigured client. The DoS filter keeps track of the number of requests from a connection per second. If the requests exceed the limit, Jetty rejects, delays, or throttles the request, and sends a warning message. The filter works on the assumption that the attacker might be written in simple blocking style, so by suspending requests you are hopefully consuming the attacker's resources. The DoS filter is related to the QoS filter, using Continuations to prioritize requests and avoid thread starvation."

http://wiki.eclipse.org/Jetty/Reference/DoSFilter

Other configs that are worth looking at can be found in the Jetty Optimization Article:

http://67-23-9-112.static.slicehost.net/doc/optimization.html