Presentation is loading. Please wait.

Presentation is loading. Please wait.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007."— Presentation transcript:

1 WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007

2 Feb 13 2007WS-Denial_of_Service2 The Point The Internet is fault tolerant because its functionality is distributed; Web Services (WS) are not. WS emulate enterprise architecture. Servers on the Internet are susceptible to Denials of Service; WS are doubly (2x) sensistive. Clients of WS are victimised as well; inherent to Service oriented architecture. We need performance evaluations, secured connections, and limited exposure of WS functionality to protect from DoS.

3 Feb 13 2007WS-Denial_of_Service3 The Outline The Internet and Distributed Risk What is Denials of Service (DoS) Web Services and their Clients DoS Sensitivity WS are Resource Intensive Protecting WS from DoS

4 Feb 13 2007WS-Denial_of_Service4 The Internet High availability of core services  Internet Protocol (IP) addressing, Domain Name services (DNS), content serving over web (HTTP) and email (SMTP), etc. Functionality distributed, runs on each node of the Internet  If one node fails, rest of Internet still has functionality  Many Linux distros have all necessary software  Unlike Web Services, where functionality is specialized at each node

5 Feb 13 2007WS-Denial_of_Service5 The Internet Internet nodes have exposed functionality (web servers, mail servers, etc.)  Publicly accessible – trade off availability for susceptibility to attacks Many types of attacks  Denial of Service (DoS)  Distributed Denial of Service (DDoS)  Spoofing – falsifying identity  Man-in-the-Middle – intercepting messages

6 Feb 13 2007WS-Denial_of_Service6 Denial of Service Overwhelm a system with requests  Sum of minimally processing requests overwhelms system resources  Cannot respond to legitimate requests for service Requests can be:  Malformed, Incomplete  Properly formed, and induce resource-intensive functionality  Formed to take advantage of vulnerability Single attacker, or multiple simultaneous attackers (DDoS) Combined with Spoofing and Man-in-the-Middle

7 Feb 13 2007WS-Denial_of_Service7 Web Services Before service oriented architecture (SOA): software interfaces to enterprise-critical functionality hidden away from Internet  Done for safety, stability  Software services often localized at client location Web Services expose critical functionality by design  Architecture different than the distributed Internet  WS emulate enterprise – specialised functionality at each node  Functionality dependent on availability of other nodes

8 Feb 13 2007WS-Denial_of_Service8 Web Service Clients Clients rely on the availability of the Web Service – WS enterprises are in the business of network uptime  Must develop expertise to protect from attacks Clients of WS are affected by a DoS at the host or publisher of the service  DoS affects internal functionality at the client site!!  Internet congestion, routing problems, etc. Client more susceptible than with localized or distributed model of software services

9 Feb 13 2007WS-Denial_of_Service9 Double Sensitivity WS can experience DoS in two forms  The transport protocol host: HTTP, SMTP, etc.  The Web Service itself To help attackers, the WSDL file provides functionality specification  … though no more than public documentation Web Services are resource intensive  Industry evidence suggests large gaps: 60% bulkier, 6 times slower than competing technolgy

10 Feb 13 2007WS-Denial_of_Service10 Protecting from DoS Transport protocol is probably OK  Much research into protecting HTTP servers from DoS: avoid or stop attacks  Very little research in DoS protection for WS Several methods  Secured and dedicated connections  Performance evaluations of platform  Limit exposure of resource intensive functionality  Establish trust between client and service provider

11 Feb 13 2007WS-Denial_of_Service11 Protecting from DoS Connections  Dedicated connections for WS traffic between enterprises, hidden from general Internet traffic  Secured connections: Virtual Private Network (VPN), encrypted tunnels Identity of parties known, can avoid spoofing and man-in-the-middle  Auditing security policies to avoid DoS within the shared, secured environment

12 Feb 13 2007WS-Denial_of_Service12 Protecting from DoS Performance Evaluation  Not all WS platforms created equal  Determine threshold for DoS  Is a WS the best choice for implementing your service oriented architecture? Limit Exposed Functionality  Initial contact should require authentication, authorization  Resource-light dismissal of requests  Authentication token for resource-heavy functionality

13 Feb 13 2007WS-Denial_of_Service13 Conclusion WS architecture is doubly susceptible to DoS: transport protocol, and WS itself Clients of WS are at risk when service provider is at risk Steps must be taken to minimize DoS risk  Dedicated connections  Security, policy, authentication, authorization  Limited exposure of functionality  Performance evaluation: load-test those heavyweight platforms!

14 Feb 13 2007WS-Denial_of_Service14 Thank You for your attention!

Download ppt "WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007."

Similar presentations

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Firewall Configuration Strategies

Firewall Configuration Strategies
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
Chapter 12 Network Security.

Chapter 12 Network Security.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.

Similar presentations

Ads by Google