Hello Everyone,
Today will explore about Denial of Service (DoS) in this blog.
Oversize payload / Recursive XML
… nested 10000 elements … big data … …
Countermeasure : limit the message size with gateway/firewall, XSD restriction length, limit nested element deep, don’t use maxoccurs=“unbounded” in XSD.
While we can also limit the message using application-server setting or XSD validation in the proxy, it’s better to reject the messages as early as possible (e.g. in the gateway with XML firewall) before the message burden the load balances and application-servers.
Use throttling (also in the log file generation).
Entity Expansion / XML bomb
Excessive/recursive reference to entity to overwhelm the server, e.g.
<!DOCTYPE s[ ... Entities from x1 to x99... ]> ... ...Countermeasure : reject message with <!ENTITY> tag (or whole DTD tag), use SOAP 1.2, use XML firewall.
XML External Entity DOS
Entity reference to external resources (e.g. a huge file) to overwhelm the server, e.g.
Countermeasure: reject message with <!ENTITY> tag (or whole DTD tag), use SOAP 1.2, use XML firewall.
Malformed XML
To overwhelm the server with exceptions, e.g. omitting XML closing tag or wrong date-time format.
Countermeasure: XSD validation.
Weak XML definitions
e.g. element which allows any additional elements
Countermeasure: prevent the use of .
Buffer overflow
Oversize message to override variables / operation address, DoS attack
Countermeasure: use programming language/frameworks which is more safe regarding buffer overflow (e.g. Java), bounds checking.
Non-content attacks
The DOS attacks described above mainly are content-based by sending malicious / oversize contents. But web services are indirectly also vulnerable to non -content attacks (e.g. SYNC-flood) that will overwhelm the network infrastructure (firewall, switch/router).
Countermeasure: using firewall/switch/router with anti DOS filtering features such as TCP splicing/protocol analyzer, bogus filtering, anomalies detection, rate limiting.