Tomcat denial of service-Collection of common programming errors

Connecting thousands of times is a known “vulnerability” of any server with a maxconnections setting (or which uses a lot of resources per connection). As a DDOS, most likely they’re not “stopping” the download, they’re just cutting the connection without so much as a RST packet so the connection hangs around until it times out or using something like trickle to only acknowledge a few bytes at a time to keep the connection from timing out.

Anything you do to mitigate this will depend on your entire setup. Assuming you are currently using apache+mod_jk+tomcat, then in addition to Bart’s fail2ban, I would look into mod_security to detect the possibly malicious requests and refuse them. Another idea is if you really are using tomcat to send static data, moving the static data to be served directly from apache (or a lightweight server like lighttpd or nginix) using a static.example.com domain. Or, if you need to have your code decide which file to send, consider using mod_xsendfile in apache to serve static files “pointed to” by your app, which would let tomcat finish the request and move on while apache handled the file (rather than keeping both apache and tomcat busy sending the file).