Feeds

Web Services to aid DOS attacks

Security wrapper

  • alert
  • submit to reddit

Reducing security risks from open source software

The development of web services standards allows us to contemplate the creation of business applications that are based upon collections of loosely-coupled components served up by a variety of third parties. The question that arises is just who it is that is going to expose themselves to denial of service attacks in this way.

There are many reasons why web services activity is currently restricted to use within the intranet. Mainly, the lack of experience dictates that most development is experimental. Also, there is a shortage of security and manageability within the standards that makes the publication of web services outside the firewall a pretty scary option.

However, if we look forward to a time when these wrinkles have been ironed out, we can see an opportunity for publicly exposed functions to be used to swamp the servers that host them.

The nice thing about the web services standards is that they are designed to help an outside party who wants to find and execute a piece of functionality.

First of all, UDDI will help your attacker to find any services that have been published within the networked environment and then WSDL will provide the details required to make it work.

With the aid of a little SOAP, the service can be executed on the host server and the DOS attack has begun. Swamp the web services with requests and there's a pretty good chance that the servers will fall flat on their backs.

We can argue, of course, that nobody will even contemplate the global publication of web services until a cosy wrapper of security exists around them. However, there needs to be strong identity management that ensures that the host trusts us before giving out the information needed to execute the functions.

One obvious solution is a directory implementation that requires the user is properly authenticated before even knowing which services are available.

This does defeat the idea that any component can be available to anybody but it is only the technology purists that believe this to be practical. A directory offers the foundation required to implement the management features necessary.

In the real world, even globally available web services are going to need registration information - not only for security purposes but also to make sure that users pay for their use. You didn't really think you'd get all this for free. Did you?

©IT-Analysis.com.

Eight steps to building an HP BladeSystem

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
Bose says today IS F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.