Feeds

Web Services to aid DOS attacks

Security wrapper

  • alert
  • submit to reddit

Internet Security Threat Report 2014

The development of web services standards allows us to contemplate the creation of business applications that are based upon collections of loosely-coupled components served up by a variety of third parties. The question that arises is just who it is that is going to expose themselves to denial of service attacks in this way.

There are many reasons why web services activity is currently restricted to use within the intranet. Mainly, the lack of experience dictates that most development is experimental. Also, there is a shortage of security and manageability within the standards that makes the publication of web services outside the firewall a pretty scary option.

However, if we look forward to a time when these wrinkles have been ironed out, we can see an opportunity for publicly exposed functions to be used to swamp the servers that host them.

The nice thing about the web services standards is that they are designed to help an outside party who wants to find and execute a piece of functionality.

First of all, UDDI will help your attacker to find any services that have been published within the networked environment and then WSDL will provide the details required to make it work.

With the aid of a little SOAP, the service can be executed on the host server and the DOS attack has begun. Swamp the web services with requests and there's a pretty good chance that the servers will fall flat on their backs.

We can argue, of course, that nobody will even contemplate the global publication of web services until a cosy wrapper of security exists around them. However, there needs to be strong identity management that ensures that the host trusts us before giving out the information needed to execute the functions.

One obvious solution is a directory implementation that requires the user is properly authenticated before even knowing which services are available.

This does defeat the idea that any component can be available to anybody but it is only the technology purists that believe this to be practical. A directory offers the foundation required to implement the management features necessary.

In the real world, even globally available web services are going to need registration information - not only for security purposes but also to make sure that users pay for their use. You didn't really think you'd get all this for free. Did you?

©IT-Analysis.com.

Providing a secure and efficient Helpdesk

More from The Register

next story
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.