Hi Simon, Sorry for the late response :-)
I think the best option for this particular case is to use a custom mediator or a script to check a threshold of the message size and the schema for general malicious messages using a Java class mediator. So you could configure this mediator to give two threshold values one for the message size and the other for the maximum number of child nodes that a particular message can have. If we think about the depth of the message even for that you may give a threshold, so that this mediator drops the message if the child depth is greater than the threshold value. Please note that this affects the performance of the normal case as well coz each and every message goes through this particular mediator. Further you could put this mediator in a sequence named "pre-mediate" along with any DOS attack detection mediators like throttle and cache, so that these will be executed even before the mediation starts within synapse regardless whether a particular message is coming to the main sequence or to a specific proxy service. Thanks, Ruwan On Tue, Mar 24, 2009 at 7:48 PM, Simon Echle <[email protected]> wrote: > Hey all, > > We talked about preventing from Denial of Service attacks with the > throttle and cache mediator. This is a good way to prevent against such > DOS-Attacks that are based on sending a whole lot of requests and > blocking the service in this way. > > But what about attacks that are based on malicious single messages to > block the service. For example "Recursive Payload" attacks or Oversize > Payload" attacks. > > Lets say we are receiving a request which contains a 10000 times nested > SOAP Message. When our service tries to parse that it is its direct way > to the nirvana ... > > My first idea: Lets validate the incoming messages against an XML Schema > file. > Now the key question here is: How is the validate Mediator implemented > internally? Or to be more precise: Does it use a DOM-Parsing Model or a > SAX-Parsing Model to validate? > > Somebody knows that? > > Short Explanation: If it uses a DOM-Parsing Model it is vulnerable to > DOS-attack itself, because it has to parse the whole XML-Tree into the > data structure before it can use it. The SAX-Parsing model is not > vulnerable to DOS-attacks, on the flipside its usage is not really > convenient. > > > Somebody has other ideas how to protect against "Recurisve Payloads" and > "Oversize Payloads"? > > > /Simon > > -- Ruwan Linton Senior Software Engineer & Product Manager; WSO2 ESB; http://wso2.org/esb WSO2 Inc.; http://wso2.org email: [email protected]; cell: +94 77 341 3097 blog: http://ruwansblog.blogspot.com
