A denial of service (DoS) attack is an attempt to make a computer resource unavailable to its intended users. This is often done by overloading the resource; for example:
- With a flood of requests from an external source.
- With a request for more information than the system can successfully deliver.
For example, a JSON representation of the entire repository.
- By requesting a content page with an unlimited number of URLs, The URL can include a handle, some selectors, an extension, and a suffix - any of which can be modified.
For example, .../en.html can also be requested as:
- .../en.ExtensionDosAttack
- .../en.SelectorDosAttack.html
- .../en.html/SuffixDosAttack
All valid variations (e.g. return a 200 response and are configured to be cached) will be cached by the dispatcher, eventually leading to a full file system and no service for further requests.
There are many points of configuration for preventing such attacks, here we only discuss those directly related to AEM.
Configuring Sling to Prevent DoS
Sling is content-centric. This means that processing is focused on the content as each (HTTP) request is mapped onto content in the form of a JCR resource (a repository node):
- The first target is the resource (JCR node) holding the content.
- Secondly, the renderer, or script, is located from the resource properties in combination with certain parts of the request (e.g. selectors and/or the extension).
This approach makes Sling very powerful and very flexible, but as always it is the flexibility that needs to be carefully managed.
To help prevent DoS misuse you can:
1. Incorporate controls at the application level; due to the number of variations possible a default configuration is not feasible.
In your application you should:
- Control the selectors in your application, so that you only serve the explicit selectors needed and return 404 for all others.
- Prevent the output of an unlimited number of content nodes.
2. Check the configuration of the default renderers, which can be a problem area.
- In particular the JSON renderer which can transverse the tree structure over multiple levels.
For example, the request:
http://localhost:4502/.json
could dump the whole repository in a JSON representation. This would cause significant server problems. For this reason Sling sets a limit on the number of maximum results. To limit the depth of the JSON rendering you can set the value for:
JSON Max results (json.maximumresults)
in the configuration for the Apache Sling GET Servlet. When this limit is exceeded the rendering will be collapsed. The default value for Sling within AEM is 200.
- As a preventive measure disable the other default renderers (HTML, plain text, XML). Again by configuring the Apache Sling GET Servlet.
Caution:
Do not disable the JSON renderer, this is required for the normal operation of AEM.
3. Use a firewall to filter access to your instance.
- The use of an operating system level firewall is necessary in order to filter access to points of your instance that might lead to denial of service attacks if left unprotected.
Mitigate Against DoS Caused by Using Form Selectors
Note:
This mitigation should be performed only on AEM environments that are not using Forms.
Since AEM does not provide out of the box indexes for the FormChooserServlet, using form selectors in queries will trigger a costly repository traversal, usually grinding the AEM instance to a halt. Form selectors can be detected by the presence of the *.form.* string in queries.
In order to mitigate this, please follow the below steps:
- Go to the Web Console by pointing your browser to http://serveraddress:serverport/system/console/configMgr
- Search for Day CQ WCM Form Chooser Servlet
- After you click on the entry, disable the Advanced Search Require in the following window.
- Click Save.
WebDAV should be disabled on both the author and publish environments. This can be done by stopping the appropriate OSGi bundles.
- Connect to the Felix Management Console running on: http://:/system/console For example http://localhost:4503/system/console/bundles.
- In the list of bundles, find the bundle named: Apache Sling Simple WebDAV Access to repositories (org.apache.sling.jcr.webdav)
- Click the stop button (in the Actions column) to stop this bundle.
- Again in the list of bundles, find the bundle named:Apache Sling DavEx Access to repositories (org.apache.sling.jcr.davex)
- Click the stop button to stop this b
undle.
Note:
A restart of AEM is not required.