XML Flooding

From WS-Attacks
(Redirected from Distributed XML Flooding)
Jump to: navigation, search

Attack description

XML Flooding aims at exhausting the resources of a web service by sending a large number of legitimate SOAP Messages. This attack can be compared to the classical denial of service attack on web servers by flooding them with a large amount of valid HTTP requests until the server is unable to respond.

The attack is also known under the name XML Flood.

Attack subtypes

One can distinguish between 2 attack subtypes:

  1. Single XML Flooding
    In this scenario all requests originate from one attacker. This attack can be defended easily.
  2. Distributed XML Flooding
    In this scenario many different web service clients make requests at the same time. Usually these clients are controlled by the attacker. Defending against this attack is still not possible.

Prerequisites for attack

In order for this attack to work the attack has to have knowledge about the following things:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company, this attack is limited.

Graphical representation of attack

In this attack there is no component in the web service architecture that is specifically attacked. The web service server is attacked as a whole. AttackedComponent None.png

Attack example

The Figure 1 shows an example of Single XML Flooding where one attacker sends as many request as possible to the attacked web service.

Single XML Flood.png

Figure 2: Single XML Flooding example

Figure 3 shows an Distributed XML Flooding attack where various intermediary clients, controlled by an attacker, send requests to the victim.

Distributed XML Flood.png

Figure 3: Distributed XML Flooding example

Attack mitigation / countermeasures

When talking about countermeasures you have to distinguish between the 2 subtypes.

  • Single XML Flooding can be defended easily by limiting the number of requests per IP address in a given time frame. The maximum number of requests per IP address per time frame is dependent on the type of deployed web service and the type of hardware the application is running on. When running a web service giving out the local temperature, one request per minute per IP address should be sufficient.
  • Distributed XML Flooding can't be defended today. Even though certain approaches exist to fight this attack it's not possible to prevent the attack from happening. An simple solution used by big companies today is to use servers with a sufficient overcapacity. Attacks up to a certain size can then be handled successfully. Another approach that can handle attacks up to a certain size is the use of cloud computing. When under attack the web service just allocates more server resources to keep running.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

Categorisation by number of involved parties

The "Single XML Flooding" attack is categorised as follows:

The "Distributed XML Flooding" attack is categorised as follows:

Categorisation by attacked component in web service architecture

Categorisation by attack spreading


  1. Alex Stamos. Attacking web services. http://www.owasp.org/index.php/File:AppSec2005DC-Alex_Stamos-Attacking_Web_Services.ppt, October 2005. Slides OWASP AppSec DC 2005, Accessed 01 July 2010.
  2. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.