Glassfish 3.1.1 workaround for Denial of Service through hash table multi-collisions
This is an old bug, first discovered in 2003, but now was applied to the hash table functions from the new programming languages. The main idea behind this bug is to create hashes which collide, because collision will eat a lot more cpu cycles on your server. For a post of 2 MB is resulting in a 44 minutes of CPU time which will results in a DOS.
As suggested in advisory released by nruns.com we can limit the maximum post size from several 10’s of KB. In Glassfish 3.1.1 the maximum post size is 2 MB and the setting can be changed from here: Configurations -> [configuration name] -> Network Config -> Network Listener -> http-listener- -> HTTP.
The other suggestions made by nruns cannot be applied to Glassfish (Limiting Cpu Time, Limiting maximal number of parameters)
Detailed explanation of Hash table collisions: