OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] SOA and the Single URL

[ Lists Home | Date Index | Thread Index ]

> OK, I can see what you are saying. Is there some facility to 
> deny/turn-off processing for a type of DoS attack? Say something is 
> sending you several complex, large messages - what happens to the gateway?

In the worst case, the gateway goes down before your application server 
does.  More usually, gateways are more aware of XML-based network 
attacks than most applications (e.g., billion laughs, XML too big, etc)
and will drop the message, fault it, report it, whatever, when 
thresholds are exceeded.

XML is particulary useful for DoS, since the processing load is 
asymmetric: the adversary can just use print statements, while the 
victim receiver needs to parse.  Gateways built around OSS or COTS 
parsers, for example, are often just as vulnerable as the servers 
they're protecting.

Caveat emptor.


Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS