• To: Robert Koberg <rob@k...>
• Subject: Re: SOA and the Single URL
• From: Rich Salz <rsalz@d...>
• Date: Thu, 04 Aug 2005 13:37:08 -0400
• Cc: xml-dev@l...
• In-reply-to: <42F250A7.3040502@k...>
• References: <74B14CBC0FEB9D4EB16969F09FA51F4576D316@M...> <42F24615.5060502@d...> <42F2487E.4040603@k...> <42F24BDA.40209@d...> <42F250A7.3040502@k...>
• User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040421

> OK, I can see what you are saying. Is there some facility to 
> deny/turn-off processing for a type of DoS attack? Say something is 
> sending you several complex, large messages - what happens to the gateway?

In the worst case, the gateway goes down before your application server 
does.  More usually, gateways are more aware of XML-based network 
attacks than most applications (e.g., billion laughs, XML too big, etc)
and will drop the message, fault it, report it, whatever, when 
thresholds are exceeded.

XML is particulary useful for DoS, since the processing load is 
asymmetric: the adversary can just use print statements, while the 
victim receiver needs to parse.  Gateways built around OSS or COTS 
parsers, for example, are often just as vulnerable as the servers 
they're protecting.

Caveat emptor.

	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html

• References:
  • RE: SOA and the Single URL
    • From: "Chiusano Joseph" <chiusano_joseph@b...>
  • Re: SOA and the Single URL
    • From: Rich Salz <rsalz@d...>
  • Re: SOA and the Single URL
    • From: Robert Koberg <rob@k...>
  • Re: SOA and the Single URL
    • From: Rich Salz <rsalz@d...>
  • Re: SOA and the Single URL
    • From: Robert Koberg <rob@k...>

• Prev by Date: Re: SOA and the Single URL
• Next by Date: Re: a useful naming convention
• Previous by thread: Re: SOA and the Single URL
• Next by thread: Re: SOA and the Single URL
• Index(es):
  • Date
  • Thread