In away yes, but if synapse is much scalable than the web service server, it will be harder to DoS attack the web services infrastructure than exposing itself to the out side.
Thanks, Ruwan On Sun, Mar 22, 2009 at 10:43 PM, Simon Echle <[email protected]> wrote: > Thanks for your suggestions! I will have a look at these mediators and > how i could use them. But isn't the DoS attack only shifted to the > Sysnapse mediator then? > > > Regards Simon > > > On So, 2009-03-22 at 22:23 +0530, Ruwan Linton wrote: > > Interesting, this can be done with Synapse and a one suggestion; > > > > You could use the throttle mediator and/or cache mediator to prevent the > > actual web service with the DoS attacks, by throttling the access to the > web > > service using the throttle mediator and you could use the cache mediator > to > > serve from the cache for equivalent messages within the synapse layer > itself > > without hitting the actual service. (Cache mediator is going to work iff > the > > service response completely depends on the request message and not with > any > > other parameters like time and so on) > > > > This might also be a good way of preventing the actual service. > > > > Thanks, > > Ruwan > > > > On Sun, Mar 22, 2009 at 9:12 PM, Simon Echle <[email protected]> wrote: > > > > > > Interestingly, even Axis2 itself is not immune. See [1] for an issue > > > > that has been discovered yesterday. > > > > > > > > Is your project/thesis more focused on detecting security issues and > > > > fixing them or on protecting existing Web services with potentially > > > > known security issues? > > > > > > > > Andreas > > > > > > > > [1] https://issues.apache.org/jira/browse/AXIS2-4279 > > > > > > Hi, > > > > > > it is definitely more focused on protecting existing Web services > > > against known attacks. Nevertheless one interesting part is how to > > > handle new upcoming attacks and again the solution of securing the > > > application layer outside the application (with Synapse in my case) > > > comes up with some obvious advatages, like you do not have to change or > > > know a single line of code of the service. > > > > > > > > > Simon > > > > > > > > > > > > -- Ruwan Linton Senior Software Engineer & Product Manager; WSO2 ESB; http://wso2.org/esb WSO2 Inc.; http://wso2.org email: [email protected]; cell: +94 77 341 3097 blog: http://ruwansblog.blogspot.com
