I would think that a session-scoped service would be a much greater risk. Like an induced memory leak.
I would also think that typically, most of the consumed resources in a "well-formed" DOS would be in the parsing of the XML, and the serialization / deserialization. So the application code, db .. etc, may have somewhat of a break. Unlike a website, where you would see your db pool have problems, etc ... But what about mal-formed requests to an Axis service? It would be interesting to stress test Axis with a combination of well-formed and mal-formed requests, to see how the Exception handling releases resources, etc ... Ben On Tue, 2003-01-28 at 14:03, James Flagg wrote: > > Since you are most likely using SOAP over HTTP, you have the same tools used > to protect other HTTP services -- you can require client certificates, > restrict to certain IPs, use HTTP basic authentication, etc., which can all > be set up using your web application server. But these are probably useful > only if you are dealing with known clients or partners. If you truly want > your web service to be available to all, I'm not sure there's much you can > do. Denial of service attacks are pretty hard to fight against. There may > be some anti-DoS technologies out there but I don't know much about that. I > think you are correct in that a publicly available, request-scoped service > could be a risk. Sorry if that's not much of an answer. > > > James > > > -----Original Message----- > From: Nicolas Dinh [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 28, 2003 10:45 AM > To: [EMAIL PROTECTED] > Subject: Web Service Model - Security Issues > > > Hi, > I'm still quite new to all of this. But from what I understand, one of the > main goals of using a Web Service Model is to essentially make its interface > universal and accessible to anyone. > How does one protect one's Web Service from malicious attacks. One that > comes into mind and can be done quite easily is flooding a Web Serice with > SOAP calls. If the scope of the AXIS Web Service is per request, then the > Web Servicee object is instantiated every time a SOAP call is made and can > put quite a load or even crash the server that is hosting the Web Service? > Regards, > Nicolas Dinh > > > > Help STOP SPAM with the new MSN 8 and get 2 months FREE* >
