Abstract
Though Web Services become more and more popular, not only inside closed intranets but also for inter-enterprise communications, few efforts have been made so far to secure a Web Service’s availability. Existing security standards like e.g. WS-Security only address message integrity and confidentiality, and user authentication and authorization. In this article we present a system for protecting Web Services from Denial-of-Service (DoS) attacks. DoS attacks often rely on misformed and/or overly long messages that engage a server in resource-consuming computations. Therefore, a suitable means to prevent such kinds of attacks is the full grammatical validation of messages by an application level gateway before forwarding them to the server. We discuss specific kinds of DoS attacks against Web Services, show how message grammars can automatically be derived from formal Web Service descriptions (written in the Web Service Description Language), and present an application level gateway solution called “Checkway” that uses these grammars to filter Web service messages. The paper closes by giving some performance figures for full grammatical validation.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Frank Cohen. Discover SOAP encoding’s impact on Web service performance. IBM developerWorks, 2003.
Arnaud Le Hors et al. Document Object Model (DOM) Level 3 Core Specification. W3C Recommendation, 2004.
Bob Atkinson et al. Web Services Security (WS-Security). 2002.
David Booth et al. Web Services Architecture. W3C Recommendation, 2004.
Erik Christensen et al. Web Services Description Language (WSDL). W3C Note, 2001.
Giovanni Della-Libera et al. Web Services Security Policy Language (WS-SecurityPolicy). 2005.
H.S. Thomson et al. XML Schema Part 1: Structures Second Edition. W3C Recommendation, 2004.
H.S. Thomson et al. XML Schema Part 2: Datatypes Second Edition. W3C Recommendation, 2004.
Keith Ballinger et al. Basic Profile Version 1.1. WS-I Organisation, 2004.
Martin Gudgin et al. SOAP Version 1.2 Part 1: Messaging Framework. W3C Recommendation, 2003.
Steve Anderson et al. Web Services Secure Conversation Language (WS-SecureConversation). 2005.
Steve Anderson et al. Web Services Trust Language (WS-Trust). 2005.
Pete Lindstrom. Attacking and Defending Web Service. A Spire Research Report, 2004.
Brett McLaughlin. Java and XML Data Binding. O Reilly, 2002.
The SAX Project. Simple API for XML — SAX 2.0.1. 2002.
Florian Reuter. Forthcoming dissertation.
Günter Schäfer. Sabotageangriffe auf Kommunikationsstrukturen: Angriffstechniken und Abwehrmaßnahmen. PIK 28, pages 130–139, 2005.
Andre Yee. Protecting Your Web Services Deployment.
Jesper Zedlitz. Spezifikation und Implementierung eines Application Level Gateways für Web Service. Diploma thesis, 2004.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 International Federation for Information Processing
About this paper
Cite this paper
Gruschka, N., Luttenberger, N. (2006). Protecting Web Services from DoS Attacks by SOAP Message Validation. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds) Security and Privacy in Dynamic Environments. SEC 2006. IFIP International Federation for Information Processing, vol 201. Springer, Boston, MA. https://doi.org/10.1007/0-387-33406-8_15
Download citation
DOI: https://doi.org/10.1007/0-387-33406-8_15
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-33405-9
Online ISBN: 978-0-387-33406-6
eBook Packages: Computer ScienceComputer Science (R0)