The Register® — Biting the hand that feeds IT

Feeds

Web Services to aid DOS attacks

Security wrapper

By IT-Analysis, 10th June 2002
  • print
  • alert

Magic Quadrant for Enterprise Backup/Recovery

The development of web services standards allows us to contemplate the creation of business applications that are based upon collections of loosely-coupled components served up by a variety of third parties. The question that arises is just who it is that is going to expose themselves to denial of service attacks in this way.

There are many reasons why web services activity is currently restricted to use within the intranet. Mainly, the lack of experience dictates that most development is experimental. Also, there is a shortage of security and manageability within the standards that makes the publication of web services outside the firewall a pretty scary option.

However, if we look forward to a time when these wrinkles have been ironed out, we can see an opportunity for publicly exposed functions to be used to swamp the servers that host them.

The nice thing about the web services standards is that they are designed to help an outside party who wants to find and execute a piece of functionality.

First of all, UDDI will help your attacker to find any services that have been published within the networked environment and then WSDL will provide the details required to make it work.

With the aid of a little SOAP, the service can be executed on the host server and the DOS attack has begun. Swamp the web services with requests and there's a pretty good chance that the servers will fall flat on their backs.

We can argue, of course, that nobody will even contemplate the global publication of web services until a cosy wrapper of security exists around them. However, there needs to be strong identity management that ensures that the host trusts us before giving out the information needed to execute the functions.

One obvious solution is a directory implementation that requires the user is properly authenticated before even knowing which services are available.

This does defeat the idea that any component can be available to anybody but it is only the technology purists that believe this to be practical. A directory offers the foundation required to implement the management features necessary.

In the real world, even globally available web services are going to need registration information - not only for security purposes but also to make sure that users pay for their use. You didn't really think you'd get all this for free. Did you?

©IT-Analysis.com.

Magic Quadrant for Enterprise Backup/Recovery

Send Corrections

More from The Register

breaking news
BBC-featured call centre slapped with hefty fine for unwanted calls
PPI pests: Swansea-based firm stung for £225k by ICO
75
Microsoft to open Windows Stores inside 600 Best Buy locations
Product showcases 'must be seen to be believed'
53
Author Iain (M) Banks falls to cancer at 59
Misses the release of his final work
97
breaking news
Online music world on iRadio: Apple, imagine our concern
*Sarcastic face*
55
What did the Lehman Brothers implosion look like to a techie?
Insider tells all about the Gnab Gib at Lehmans
34
It's official: 'tweet' an English word – not just in the avian sense
If the Oxford English Dictionary says it is so, then it is so
52
breaking news
The only Waze is Google: Ad giant tipped to gobble map app 'for $1.3bn'
Pac-Man-satnav-ish upstart in bidding war with Apple, Facebook
16
breaking news
1-in-10 e-tomes 'are self-published'... most are 'rubbish' says book ed
Publishing man scoffs at go-it-alone writers, ursines still fouling in forests
50
breaking news
Vodafone puts in multi-billion euro bid for German cable giant
Achtung! Jetzt kommt ein Vodamaschine...
5
Facebook RSS reader said to uncloak June 20
Secret event scooped by Scottish developer?
11