Protection of XML-Based Denail-of-Service and Httpflooding Attacks in Web Services Using the Middleware Tool

  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract

    A web service is defined as the method of communication between the web applications and the clients. Web services are very flexible and scalable as they are independent of both the hardware and software infrastructure. The lack of security protection offered by web services creates a gap which attackers can make use of. Web services are offered on the HyperText Transfer Protocol (HTTP) with Simple Object Access Protocol (SOAP) as the underlying infrastructure. Web services rely heavily on the Extended Mark-up Language (XML). Hence, web services are most vulnerable to attacks which use XML as the attack parameter. Recently, a new type of XML-based Denial-of-Service (XDoS) attacks has surfaced, which targets the web services. The purpose of these attacks is to consume the system resources by sending SOAP requests that contain malicious XML content. Unfortunately, these malicious requests go undetected underneath the network or transportation layers of the Transfer Control Protocol/Internet Protocol (TCP/IP), as they appear to be legitimate packets.In this paper, a middleware tool is proposed to provide real time detection and prevention of XDoS and HTTP flooding attacks in web service. This tool focuses on the attacks on the two layers of the Open System Interconnection (OSI) model, which are to detect and prevent XDoS attacks on the application layer and prevent flooding attacks at the Network layer.The rule-based approach is used to classify requests either as normal or malicious,in order to detect the XDoS attacks. The experimental results from the middleware tool have demonstrated that the rule-based technique has efficiently detected and prevented theattacks of XDoS and HTTP flooding attacks such as the oversized payload, coercive parsing and XML external entities close to real-time such as 0.006s over the web services. The middleware tool provides close to 100% service availability to normal request, hence protecting the web service against the attacks of XDoS and distributed XDoS (DXDoS).\



  • Keywords

    Web Service, SOA, SOAP, XML, Denial-of-Service,XDoS, DXDoS

  • References

      [1] Tiwari, S. and P. Singh. Survey of potential attacks on web services and web service compositions. in Electronics Computer Technology (ICECT), 2011 3rd International Conference on. 2011. IEEE.

      [2] Jensen, M., N. Gruschka, and R. Herkenhöner, A survey of attacks on web services. Computer Science-Research and Development, 2009. 24(4): p. 185-197.

      [3] Gupta, A.N. and P.S. Thilagam, Attacks on web services need to secure xml on web. Computer Science & Engineering, 2013. 3(5): p. 1.

      [4] Jan, S., C.D. Nguyen, and L.C. Briand. Automated and effective testing of web services for XML injection attacks. in Proceedings of the 25th International Symposium on Software Testing and Analysis. 2016. ACM.

      [5] Mainka, C., J. Somorovsky, and J. Schwenk. Penetration testing tool for web services security. in Services (SERVICES), 2012 IEEE Eighth World Congress on. 2012. IEEE.

      [6] Shahriar, H., V. Clincy, and W. Bond, Classification of Web-Service-Based Attacks and Mitigation Techniques, in Security and Privacy Management, Techniques, and Protocols. 2018, IGI Global. p. 360-378.

      [7] Jan, S., C.D. Nguyen, and L. Briand. Known xml vulnerabilities are still a threat to popular parsers and open source systems. in Software Quality, Reliability and Security (QRS), 2015 IEEE International Conference on. 2015. IEEE.

      [8] OWASP. OWASP Top 10 Application Security Risks - 2017. 2017; Available from:

      [9] Gupta, A. and R. Verma, Securities Perspective in ESB-Like XML-Based Attacks: Interface Abstraction, Data Privacy, and Integrity, in Exploring Enterprise Service Bus in the Service-Oriented Architecture Paradigm. 2017, IGI Global. p. 97-115.

      [10] Späth, C., et al. SoK: XML Parser Vulnerabilities. in WOOT. 2016.

      [11] Chan, G.-Y., F.-F. Chua, and C.-S. Lee, Intrusion detection and prevention of web service attacks for software as a service: Fuzzy association rules vs fuzzy associative patterns. Journal of Intelligent & Fuzzy Systems, 2016. 31(2): p. 749-764.

      [12] Vissers, T., et al., DDoS defense system for web services in a cloud environment. Future Generation Computer Systems, 2014. 37: p. 37-45.

      [13] Rajaram, A.K. and B.C. Babu. API based security solutions for communication among web services. in Advanced Computing (ICoAC), 2013 Fifth International Conference on. 2013. IEEE.

      [14] Sindhu, S. and R. Kanchana. Security solutions for web service attacks in a dynamic composition scenario. in Advanced Communication Control and Computing Technologies (ICACCCT), 2014 International Conference on. 2014. IEEE.

      [15] Falkenberg, A., et al. A new approach towards DoS penetration testing on web services. in Web Services (ICWS), 2013 IEEE 20th International Conference on. 2013. IEEE.

      [16] Utsai, S. and R.B. Joshi, DOS Attack Reduction by using Web Service Filter. International Journal of Computer Applications, 2014. 105(14).

      [17] Anitha, E. and S. Malliga. A packet marking approach to protect cloud environment against DDoS attacks. in Information Communication and Embedded Systems (ICICES), 2013 International Conference on. 2013. IEEE.

      [18] Karnwal, T., T. Sivakumar, and G. Aghila. A comber approach to protect cloud computing against XML DDoS and HTTP DDoS attack. in Electrical, Electronics and Computer Science (SCEECS), 2012 IEEE Students' Conference on. 2012. IEEE.

      [19] Xu, H., A. Reddyreddy, and D.F. Fitch, Defending Against XML-Based Attacks Using State-Based XML Firewall. JCP, 2011. 6(11): p. 2395-2407.

      [20] Chonka, A., W. Zhou, and Y. Xiang. Defending grid web services from xdos attacks by sota. in Pervasive Computing and Communications, 2009. PerCom 2009. IEEE International Conference on. 2009. IEEE.

      [21] Masdari, M. and M. Jalali, A survey and taxonomy of DoS attacks in cloud computing. Security and Communication Networks, 2016. 9(16): p. 3724-3751.

      [22] Altmeier, C., et al. AdIDoS–Adaptive and Intelligent Fully-Automatic Detection of Denial-of-Service Weaknesses in Web Services. in International Workshop on Data Privacy Management. 2015. Springer.




Article ID: 20570
DOI: 10.14419/ijet.v7i4.7.20570

Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.