Latest revision as of 11:26, 31 October 2015

Attack description

NOTE: Attack description is copied from [1]

BPEL Indiect Flooding utilizes the same methodology as presented in the previous section, but the target of the indirect flooding attack is different. The idea of this attack is to use the BPEL engine as an intermediary for an attack on a target system “behind” the BPEL engine. Imagine an architecture as shown in Fig. 2, and think of a BPEL process that repeatedly calls a Web Service provided by the attack target system, for example creating customer accounts with several details.

By flooding the process within the BPEL engine with instantiating attack messages (as shown in the previous section), the BPEL engine will undergo a heavy load itself, but it will reflect an equally heavy load on the target system. Thus, if the target system is not as powerful as the BPEL engine, the backend system will suffer a loss of availability.

Using this attack method, the attacker bypasses any firewall on his direct link to the target system. Even if the target system is not connected to the outside world at all and only communicates with the BPEL engine, the backend system is exposed. Note that this attack method can not be mitigated against using WS-Security or similar approaches becuase the connection between BPEL engine and target system is used in a completely valid and trustful way.

Attack subtypes

There are no attack subtypes.

Prerequisites for attack

In order for this attack to work the attacker has to have knowledge about the following things:

1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
2. Attacker knows metadata such as WSDL file.
3. Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.

Graphic representation of attack

Graphic taken from [2]

Attack example

No attack example available/necessary.

Attack mitigation / countermeasures

Mitigating these attacks reuires identification and rejection of attack messages. The complication raised here is that the responsibility for attack prevention is at the BPEL engine, but the impact is on the target system. Thinking of a scenario where a BPEL engine and target system communicate over inter-corporate boundaries, this task may become a political rather than a technical problem. Further, as the workflow may spread over multiple systems hosted by multiple companies, an attack may propagate throughout the system, making it difficult to identify its real entry point.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

• Category:Attack_Categorisation_By_Violated_Security_Objective_Availability
• Category:Attack_Categorisation_By_Violated_Security_Objective

Categorisation by number of involved parties

• Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_1_-_1
• Category:Attack_Categorisation_By_Number_Of_Involved_Parties

Categorisation by attacked component in web service architecture

• Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Web_Service_Server
• Category:Attack_Categorisation_By_Attacked_Web_Service_Component

Categorisation by attack spreading

• Category:Attack_Categorisation_By_Attack_Spreading
• Category:Attack_Categorisation_By_Attack_Spreading:Application_Specific_Flaws

References

1. Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009. - [3]