Protecting Web Services fromDDOS Attacks T.Ponraj MCA, Research Assistant , Pondicherry University , Puducherry.
Web services • Software components that can be published, located, and run over the Internet using Extensible Markup Language (XML). • A web service is a software application that works over the internet. • A web service is service-oriented application that communicates over the web using messages • The web service is also a software, with its own class and methods .
Working of web service A request by the client application constitutes construction and sending a SOAP request using HTTP to the web server. For a web service to work, the computer has to be connected to the internet. The web server hosts the class and its methods of a web service, for a client computer to request and use. Any client computer located any where in the world, with an internet connection can request and use the class and its methods of the web service.
Web Service Technologies A web service is service-oriented application thatcommunicates over the web using messages. The Web XML SOA
Web Service RolesService provider :- Who develops or supplies the service.Service consumer (or) Requester :- Who uses the service.Service broker :- Facilitates the advertising and discovery process.
Operation on web serviceRegister :- The service provider registers the service with a service broker.Find :- The service broker gives the service consumer directions on how to find the service and its service contract .Bind :- The service consumer uses the contract to bind the client to the service, at which point the client and service can communicate.
Web Service StandardsWSDL :- WSDL provides a mechanism to describe a Web service.UDDI :- UDDI provides a mechanism to advertise and discover a Web service.SOAP:- SOAP provides a mechanism for clients and services to communicate.
Denial Of Service The prevention of authorized access to resources or the delaying of time critical operations. Targets for a DoS attack include the communications bandwidth, memory buffers, computational resources, the network protocol or application processing logic of the victim, or any systems on which the victim depends for delivering service e.g. the domain name system (DNS) or credit card payment service.
DOS in Web Services• WS messages are expressed using the XML technology, which itself contains DoS vulnerabilities, these extend to WS applications.• The loosely-coupled nature of WS applications means that clients need access to application metadata in order to invoke services.• The authentication of each and every request can itself be exploited by attackers due to the heavy processing required by some authentication systems, especially those based on public-key cryptography.
Literature Survey• Paper # 1 : “Protecting Web Services from DDOS attacks by SOAP message validation”• Paper # 2 : “Defending Web Services against DOS attacks using Client puzzles”• Paper # 3 : “Validating DOS vulnerabilities in Web Services”, Sep 2010.• Paper # 4 : “JXTA & Web Services using Secret key based Encryption”
Paper # 1 : SOAP Validation Attacks :- 1. Protocol Deviation Attack 2. Resource Exhaustion Result :- CheckWay Gateway Author :- Nils Gruschka Norbert Luttenberger Christian-Albrechts-University of Kiel
1.1. Protocol Deviation Attacks Protocol Deviation Attacks exploit vulnerabilities in implementations of protocol processing entities. In some cases a single packet that diverges from the intended protocol flow can make the attacked system crash. A well-known example is Ping of Death.
1.2. Resource Exhaustion Resource Exhaustion attacks consume the resources necessary to provide the service (network bandwidth, memory and computation resources). The simplest attack produces an extremly high network traffic load to the system providing the service. A well-known example is Dump Flooding.
2.1 Results CheckWay Gateway is an XML validation engine, which validates the SOAP message to the appropriate schemas. If the validation is successful, the SOAP message is forwarded. SOAP messages containing an ”unlimited” number of elements do not match the (hardened) schema and are rejected.
Paper # 2 : Client Puzzles Attacks :- 1. Flooding Attack 2. Semantic Attack (or) Heavy Cryptography Attack Result :- Client Puzzles Author :- Suriadi Suriadi , Dougles Stebila , Andrew Clark And Hua Liu . Queensland University of Technology , Australia.
2.1. Flooding Attack This attack attempts to exhaust a server’s resources by sending a large amount of legitimate requests. An attack cannot be detected by relying on a signature-based XML firewall. An attack is mitigated through some forms of lower network layer packet analysis, such as IP address analysis.
2.2. Semantic Attack It is the heavy cryptographic processing attack in which an attacker sends a payload with an oversized WS-Security header containing many cryptographic elements. The goal is to overload the server’s resources, either through parsing a large security header or by forcing the server to process the numerous cryptographic directives.
2.3. Result • Client puzzles, also called proofs of work, can be used to counter resource-depletion denial of service attacks. • Before a server is willing to perform some computationally expensive operation, it requires that the client commit some of its own resources and solve some moderately hard puzzle. • The most commonly proposed type of client puzzle is a hash-based computation-bound puzzle, in which a client is required to find a partial preimage in a cryptographic hash function. H(C;NS;NC;X) = 0 … 0 || Y d H - Cryptography Hash Function , C - Client , NS - Server Nonce , CS - Client Nonce , X - Client Solution d - Bits , Y - String .
The client puzzle protocol ServerClient Service request R Request puzzle Result puzzle O.K. Buffer
Paper # 3 : Validating DOS Attacks :- 1. Deeply-Nested XML 2. WSDL Flooding 3. Heavy Cryptographic Processing 4. Malformed External Schema Referencing Result :- SNMP MIB Author :- Suriadi Suriadi , Andrew Clark And Desmond Schmidt . Queensland University of Technology , Australia.
3.1. Deeply – Nested XML This type of attack exploits the SOAP format, which allows the embedding of excessively nested XML in the message body. The SOAP message is then sent to a WSprovider. The goal is to force the XML parser within the service to exhaust the memory resources of the host system by processing numerous deeply- nested documents, and so cause a denial of service.
3.2. WSDL Flooding WSDL specifications are in most cases publicly accessible, access is often unauthenticated. As a result, a brute force DoS attack could be initiated by sending a large number of WSDL requests.
3.3. Heavy Cryptographic Processing The SOAP message also allows for multiple signature blocks to be included within a SOAP header. Therefore, an attacker could craft a SOAP message containing only one <wsse:Security> header block, but with a large number of <ds:Signature> elements. To process every <ds:Signature> element, resulting in CPU exhaustion, since the signature verification process involves heavy public key cryptographic processing. A similar attack also targets message encryption.
3.4.Malformed external Schema Referencing The syntax of an XML schema specification allows a document to reference an externally defined XML namespace. An XML parser may then attempt to contact the referenced location to obtain the schema. This attribute of XML processing can result in various types of DoS. One type of attack references a malformed schema. In another type of attack a malicious provider may point to a bogus schema location that instead causes the parser to retrieve a large or malicious payload.
3.5. Results • The Network Interface Card may be saturated with traffic and the available CPU and memory resources may be very limited. Two interface cards :- Attack Network Monitoring Network • The monitoring network carries no attack traffic, only monitoring requests, it is available for measuring the performance of the target machine. • The monitoring technology used was the Simple Network Management Protocol (SNMP).
Paper # 4 : Secret Key basedEncryption Aim :- To develop a distributed service discovery mechanism. Result :- RSA AES Author :- Sabiha Hossain , Upama Kabir , Shaila Rahman And Aloke Kumar Saha . University Of Asia pacific (UAP) , Dhaka, Bangladesh .
4.1 Abstract JXTA is a P2P (Peer-to-Peer) Semantic Web application. The aim of this thesis will be to develop a distributed service discovery mechanism. JXTAs P2P provides perfect solution for Web Service discovery and Algorithm for Web Service Security. An implementation using an algorithm for web service security by using RSA Cryptographic Library and AES Encryption technology. It focuses on peer-to-peer as a method to combine Web Services and mobile ad hoc networks and to use JXTA as peer-to-peer platform.
4.2 JXTA Protocols • JXTA technology is a set of protocols. • Each protocol is defined by one or more messages exchanged among participants of the protocol. • Each message has a pre-defined format. • It is akin to TCP/IP. • Peer Discovery Protocol • Peer Resolver Protocol • Peer Information Protocol • Peer Membership Protocol • Pipe Binding Protocol • Endpoint Routing Protocol
4.4. Service Invocation from a JXTANetwork Client Application Service Encrypted Decrypt & JAX-WS Authenticate JAX-WS User Info User Info pipe Pipe JXTA JXTA JXTA Message SOAP
4.5. Web Service Security • RSA Encryption :- Ron Rivest, Adi Shamir, and Len Adleman developed the public key encryption scheme that is now known as RSA . • AES :- The Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government.
4.6. Encryption Decryption Procedure Client • RSA Signing Private Key • RSA Exchange Public Server • RSA Signing Public Key • RSA Exchange Private Key Secure Login (Single Sign on or Secure Login).
References• “Defending Web Services Against Denial of Service Attacks Using Client Puzzles” Suriadi Suriadi, Douglas Stebila, Andrew Clark, and Hua Liu. Information Security Institute, Queensland University of Technology Brisbane, Queensland, Australia.• “Validating Denial of Service Vulnerabilities in Web Services” Suriadi Suriadi, Andrew Clark, and Desmond Schmidt .Information Security Institute Queensland University of Technology Brisbane, Queensland, Australia.• “JXTA & Web Services Using Secret Key Based Encryption” Sabiha Hossain, Upama Kabir, Shaila Rahman and Aloke Kumar Saha.• “Protecting Web Services from DDOS attacks by SOAP message validation” Nils Gruschka ,Norbert Luttenberger, Christian- Albrechts-University of Kiel.• “Web Service Security Management Using Semantic Web Techniques” Diego Zuquim Guimarães Garcia , Maria Beatriz Felgar de Toledo , University of Campinas ,POB 6176 – Postal Code 13.084-971 ,Campinas, SP, Brazil.