Is there an easy and efficient way to delay a response from a Java Servlet

Question

What can I do when I get an obvious hacking attempt? I wish there was an easy way to cause them to waste their time, that doesn't involve server resources. Even a delay of a few seconds could render brute force attacks futile.

Sending them to an AsyncContext seems too processor intensive, and a timeout will automatically resend the same request back to the beginning where it started. Which might actually aide a DOS attack.

I am using Jetty and know about the DoSFilter, but it would be much more effective if I could delay a response when I detect foul play, which is rather easy to sense in my case. I think every failed validation / authentication attempt should automatically delay a response somehow.

I am not really authenticating here, so an authentication protocol/frontend is not useful. I am just validating the connection parameters for patterns that meet certain criteria. I know TCP/IP will notify, but if I could disconnect invalid access attempts silently and keep them hanging, that would be ideal.

Answer 1

I think that, if you detect a fool play, it would be more wise to block their ip for a certain period. It would be easy just adding their ip in /etc/hosts.deny (it works for many unix daemons, but I am not sure if it works with java processes too, I think it should work since it's used by the tcp daemon itself). man 5 hosts.deny at the command line gives some hints (or check this online link).

BTW, I think you can use Thread.sleep() to pause a servlet, as in any normal java code. But this, would probably cause more request from the same caller to keep open for long time, increasing the active resources that the application server has to allocate and maintain. So if the attacker can work in multithread, possibly this will help him to block your server, as it will hold all the threads for his attack, blocking all other users to access your service.

Answer 2

If you get a suspiciously repetitive request from the same IP, you can introduce an escalating delay:

Thread.sleep(n);

Where n doubles every subsequent event.

Answer 3

I actually think that an AsyncContext may be a better solution than sleeping on a synchronous request.

However, I think you'd have to try both scenarios, and actually measure what each does to both cpu usage and total throughput to be sure.

Answer 4

You should protect at lower level. Any involvement of Java will damage you more than hackers, because container will create environment on each request.

Most probably hackers do not wait for response so you won't hit them by delaying it.

Use nginx or firewall level.