protecting web services from ddos attack
TRANSCRIPT
Protecting Web Services from
DDOS Attacks
T.Ponraj MCA,
Research Assistant ,
Pondicherry University ,
Puducherry.
Web services
• Software components that can be published,
located, and run over the Internet using Extensible
Markup Language (XML).
• A web service is a software application that works
over the internet.
• A web service is service-oriented application that
communicates over the web using messages
• The web service is also a software, with its own
class and methods .
Working of web service
A request by the client application constitutesconstruction and sending a SOAP request usingHTTP to the web server.
For a web service to work, the computer has to beconnected to the internet.
The web server hosts the class and its methods of aweb service, for a client computer to request anduse.
Any client computer located any where in the world,with an internet connection can request and use theclass and its methods of the web service.
Web Service Technologies
The Web
XML
SOA
A web service is service-oriented application that
communicates over the web using messages.
Web Service Roles
Service provider :-
Who develops or supplies the service.
Service consumer (or) Requester :-
Who uses the service.
Service broker :-
Facilitates the advertising and discovery process.
Operation on web service
Register :-
The service provider registers the service with aservice broker.
Find :-
The service broker gives the service consumerdirections on how to find the service and its servicecontract .
Bind :-
The service consumer uses the contract to bind the client to the service, at which point the client and service can communicate.
Web Service Standards
WSDL :-
WSDL provides a mechanism to describe a Web
service.
UDDI :-
UDDI provides a mechanism to advertise and
discover a Web service.
SOAP:-
SOAP provides a mechanism for clients and
services to communicate.
Functional SOA
FIND
Denial Of Service
The prevention of authorized access to resources or the
delaying of time critical operations.
Targets for a DoS attack include the communications
bandwidth, memory buffers, computational resources,
the network protocol or application processing logic of
the victim, or any systems on which the victim depends
for delivering service e.g. the domain name system
(DNS) or credit card payment service.
DOS in Web Services
• WS messages are expressed using the XML
technology, which itself contains DoS vulnerabilities,
these extend to WS applications.
• The loosely-coupled nature of WS applications means
that clients need access to application metadata in
order to invoke services.
• The authentication of each and every request can itself
be exploited by attackers due to the heavy processing
required by some authentication systems, especially
those based on public-key cryptography.
Literature Survey
• Paper # 1 : “Protecting Web Services from DDOS
attacks by SOAP message validation”
• Paper # 2 : “Defending Web Services against DOS
attacks using Client puzzles”
• Paper # 3 : “Validating DOS vulnerabilities in Web
Services”, Sep 2010.
• Paper # 4 : “JXTA & Web Services using Secret key
based Encryption”
Paper # 1 : SOAP Validation
Attacks :-
Result :-
CheckWay Gateway
1. Protocol Deviation Attack
2. Resource Exhaustion
Author :-
Nils Gruschka
Norbert Luttenberger
Christian-Albrecht's-University of Kiel
1.1. Protocol Deviation Attacks
Protocol Deviation Attacks exploit vulnerabilities inimplementations of protocol processing entities.
In some cases a single packet that diverges fromthe intended protocol flow can make the attackedsystem crash.
A well-known example is Ping of Death.
1.2. Resource Exhaustion
Resource Exhaustion attacks consume the
resources necessary to provide the service
(network bandwidth, memory and computation
resources).
The simplest attack produces an extremly high
network traffic load to the system providing the
service.
A well-known example is Dump Flooding.
2.1 Results
CheckWay Gateway is an XML validation engine,
which validates the SOAP message to the
appropriate schemas.
If the validation is successful, the SOAP message
is forwarded.
SOAP messages containing an ”unlimited” number
of elements do not match the (hardened) schema
and are rejected.
2.1 CheckWay Web Service Firewall
Paper # 2 : Client Puzzles
Attacks :-
Result :-
Client Puzzles
1. Flooding Attack
2. Semantic Attack (or)
Heavy Cryptography Attack
Author :-
Suriadi Suriadi , Dougles Stebila ,
Andrew Clark And Hua Liu .
Queensland University of Technology ,
Australia.
2.1. Flooding Attack
This attack attempts to exhaust a server’s
resources by sending a large amount of
legitimate requests.
An attack cannot be detected by relying on a
signature-based XML firewall.
An attack is mitigated through some forms of
lower network layer packet analysis, such as IP
address analysis.
2.2. Semantic Attack
It is the heavy cryptographic processing attack in
which an attacker sends a payload with an
oversized WS-Security header containing many
cryptographic elements.
The goal is to overload the server’s resources,
either through parsing a large security header or by
forcing the server to process the numerous
cryptographic directives.
2.3. Result
• Client puzzles, also called proofs of work, can be usedto counter resource-depletion denial of service attacks.
• Before a server is willing to perform somecomputationally expensive operation, it requires thatthe client commit some of its own resources and solvesome moderately hard puzzle.
• The most commonly proposed type of client puzzle is ahash-based computation-bound puzzle, in which aclient is required to find a partial preimage in acryptographic hash function.
H(C;NS;NC;X) = 0 … 0 || Y
dH - Cryptography Hash Function , C - Client ,
NS - Server Nonce , CS - Client Nonce , X - Client Solution
d - Bits , Y - String .
The client puzzle protocol
Buffer
ServerClient
Service request R
O.K.
Request puzzle
Result puzzle
Paper # 3 : Validating DOS
Attacks :-
Result :-
SNMP
MIB
1. Deeply-Nested XML
2. WSDL Flooding
3. Heavy Cryptographic Processing
4. Malformed External Schema
Referencing
Author :-
Suriadi Suriadi , Andrew Clark And
Desmond Schmidt .
Queensland University of Technology ,
Australia.
3.1. Deeply – Nested XML
This type of attack exploits the SOAP format,
which allows the embedding of excessively nested
XML in the message body.
The SOAP message is then sent to a WSprovider.
The goal is to force the XML parser within the
service to exhaust the memory resources of the
host system by processing numerous deeply-
nested documents, and so cause a denial of
service.
3.2. WSDL Flooding
WSDL specifications are in most cases publicly
accessible, access is often unauthenticated.
As a result, a brute force DoS attack could be
initiated by sending a large number of WSDL
requests.
3.3. Heavy Cryptographic Processing
The SOAP message also allows for multiplesignature blocks to be included within a SOAPheader.
Therefore, an attacker could craft a SOAP messagecontaining only one <wsse:Security> header block,but with a large number of <ds:Signature> elements.
To process every <ds:Signature> element, resultingin CPU exhaustion, since the signature verificationprocess involves heavy public key cryptographicprocessing. A similar attack also targets messageencryption.
3.4.Malformed external Schema Referencing
The syntax of an XML schema specification allows adocument to reference an externally defined XMLnamespace.
An XML parser may then attempt to contact thereferenced location to obtain the schema.
This attribute of XML processing can result in varioustypes of DoS. One type of attack references amalformed schema.
In another type of attack a malicious provider maypoint to a bogus schema location that instead causesthe parser to retrieve a large or malicious payload.
3.5. Results
• The Network Interface Card may be saturated
with traffic and the available CPU and memory
resources may be very limited.
Two interface cards :-
• The monitoring network carries no attack traffic,
only monitoring requests, it is available for
measuring the performance of the target
machine.
• The monitoring technology used was the Simple
Network Management Protocol (SNMP).
Attack Network
Monitoring Network
Experimental DOS Testbed
Paper # 4 : Secret Key based
Encryption
Aim :-
Result :-
RSA
AES
To develop a distributed service discovery
mechanism.
Author :-
Sabiha Hossain , Upama Kabir ,
Shaila Rahman And Aloke Kumar Saha .
University Of Asia pacific (UAP) ,
Dhaka, Bangladesh .
4.1 Abstract
JXTA is a P2P (Peer-to-Peer) Semantic Web application.
The aim of this thesis will be to develop a distributed
service discovery mechanism.
JXTA's P2P provides perfect solution for Web Service
discovery and Algorithm for Web Service Security.
An implementation using an algorithm for web service
security by using RSA Cryptographic Library and AES
Encryption technology.
It focuses on peer-to-peer as a method to combine Web
Services and mobile ad hoc networks and to use JXTA
as peer-to-peer platform.
4.2 JXTA Protocols
• JXTA technology is a set of protocols.
• Each protocol is defined by one or more messages
exchanged among participants of the protocol.
• Each message has a pre-defined format.
• It is akin to TCP/IP.
• Peer Discovery Protocol
• Peer Resolver Protocol
• Peer Information Protocol
• Peer Membership Protocol
• Pipe Binding Protocol
• Endpoint Routing Protocol
4.3. JXTA Architecture
4.4. Service Invocation from a JXTA
Network
Client Application
Decrypt &
Authenticate
User Info
Encrypted
User Info
Service
JAX-WS JAX-WS
pip
e
JXTA
Pip
e
JXTAJXTA Message
SOAP
4.5. Web Service Security
• RSA Encryption :-
• AES :-
Ron Rivest, Adi Shamir, and Len Adleman
developed the public key encryption scheme that
is now known as RSA .
The Advanced Encryption Standard (AES) is a
symmetric-key encryption standard adopted by
the U.S. government.
4.6. Encryption Decryption Procedure
Client
• RSA Signing Private Key
• RSA Exchange Public
Server
• RSA Signing Public Key
• RSA Exchange Private Key
Secure Login (Single Sign on or Secure Login).
References
• “Defending Web Services Against Denial of Service Attacks Using
Client Puzzles” Suriadi Suriadi, Douglas Stebila, Andrew Clark, and
Hua Liu. Information Security Institute, Queensland University of
Technology Brisbane, Queensland, Australia.
• “Validating Denial of Service Vulnerabilities in Web Services” Suriadi
Suriadi, Andrew Clark, and Desmond Schmidt .Information Security
Institute Queensland University of Technology Brisbane,
Queensland, Australia.
• “JXTA & Web Services Using Secret Key Based Encryption” Sabiha
Hossain, Upama Kabir, Shaila Rahman and Aloke Kumar Saha.
• “Protecting Web Services from DDOS attacks by SOAP message
validation” Nils Gruschka ,Norbert Luttenberger, Christian-
Albrecht's-University of Kiel.
• “Web Service Security Management Using Semantic Web
Techniques” Diego Zuquim Guimarães Garcia , Maria Beatriz Felgar
de Toledo , University of Campinas ,POB 6176 – Postal Code
13.084-971 ,Campinas, SP, Brazil.
Thank You