1. Field of the Invention
The present invention relates generally to security of software systems, and more particularly to a system, method, and software for protecting a computer system and network against XML, and the like, denial of service attacks.
2. Discussion of the Background
Web services have evolved over time in exposing the underlying applications to interact with its peers over any transport protocol, Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), etc. Simple Object Access Protocol (SOAP) describes efficiently how XML messages can be wrapped with SOAP envelope to communicate successfully between the service consumers and the providers irrespective of the underlying implementation. In normal scenario SOAP is sent over HTTP, a well known web protocol. Over the years, well established security mechanisms, such as Secure Socket Layer (SSL), along with encryption, decryption and digital certificates have provided the much needed security for HTTP based applications. However, these mechanisms fail to provide security to SOAP, as SOAP messages can be sent over any transport protocol. SSL by its nature provides confidentiality and authentication over a single point-to-point HTTP session and not over a complete channel, whereas the SOAP message is sent over HTTP in the first leg and over SMTP in the second. Hence, the need for securing the SOAP message directly, rather than relying on the transport layer to provide the security, led to standards, such as XML-Signature, XML-Encryption and WS-Security. These standards helped in providing the message level security, irrespective of the transport protocol chosen to deliver the SOAP messages.
In most cases, the SOAP messages were communicated from one application to another on behalf of some end user. Application based on Role Based Access required the user credentials. When these applications were exposed as services, there was a requirement for sending the end user credentials (name/password) and any other credentials as part of the SOAP message. Security Assertions Markup Language (SAML) standard helped in achieving the same.
Since most of the applications exposed as services were behind the enterprise firewall, the need for firewall to be SOAP aware was eminent. However, most of the firewalls allowed HTTP and email traffic and since SOAP was frequently sent on HTTP, SOAP message could carry anything and could successfully penetrate the enterprise firewall. XML firewalls helped in solving this issue by thorough content inspection of the SOAP payload, along with the XML schema validation of the XML payload inside the SOAP body.
All of these security mechanism help in preventing unauthorized and unauthenticated access to the services, but the security dimension does not end here. Denial of Service (DoS), is defined as “An explicit attempt by attackers to prevent legitimate users of a service from using that service.” Web services by nature explicitly advertise their information to everyone through Web Services Description Language (WSDL), making it easy for the hacker to create the Denial of Service. XML Denial-of-Service (XDoS) is specific DoS with respect to Web services, as the medium of communication is through XML. XDoS can be achieved by any of the following ways:
By flooding the network with XML messages thereby not allowing legitimate network traffic.
By flooding the service with XML requests, thereby not allowing the service to process any other request.
By flooding the service with junk XML requests, thereby disrupting the service and making it unavailable for other legitimate users.
Further, as will be appreciated by a person skilled in the art, the performance of a system that could provide both content checking and source based filtering is a big gap to fill. The performance related problems are answered by XML aware hardware, which provides basic XML validation and defense against XDoS. However, the cost involved in such a hardware based system is considerable. Moreover, there was a little scope to upgrade such a system with time, as XDoS is a constantly evolving attack mechanism. For a simple packet based attack, bandwidth management and intelligent filtering provides the needed line of defense. However, these traditional security devices do not differentiate between good and bad XML. Moreover, IP based source filtering does not suffice when the security credentials are set in the SOAP header, and a user can use different IPs at different times.
Therefore, there is a need for a system and method to address these issues and detect and prevent XDoS attacks by providing a framework over and above the existing security infrastructure and on the level of an application.