W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 11] Protection against XML Denial Of Service attacks

From: Cullen Jennings <fluffy@cisco.com>
Date: Tue, 13 Dec 2005 16:00:23 -0800
To: Lisa Dusseault <lisa@osafoundation.org>, Julian Reschke <julian.reschke@gmx.de>
CC: WebDav <w3c-dist-auth@w3.org>
Message-ID: <BFC4A097.653AB%fluffy@cisco.com>

On 12/1/05 10:58 AM, "Lisa Dusseault" <lisa@osafoundation.org> wrote:

>> We discussed this during the conference call: 5xx is a server error,
>> in particular 503 means "not now but maybe later". If a server detects
>> a DOS attack, that's the last thing it would want to tell the client.

Hmm, there might be some places you want this. This is not a Chair comment -
just take it as a random individual comment.

Imagine you had say 40,000 phones that all got their config information over
DAV in some enterprise. And when the building power cycles, they all go and
hit the server at the same time. I call this a Start of Service attack (SOS)
but it is a lot like DDOS from server point of view. Some other protocols
have found that returning a 5xx with a Retry-After time is very useful here.
The retry time can be adjusted based on the depth of the queue in the server
and the length of time the server has been in an overload state to push out
the retries out to a point where the server has a chance of processing them
instead of just sending the 503. The load balancer can realize the servers
are overloaded and switch traffic to servers that can send the 503 at
extremely high rates.

There are also systems build to deal with very large DDOS attacks that do
things like the following. Imagine that an ISP has a client with server with
address X. The server tells the ISP that the server is under DDOS attack.
The ISP has a system that "steals" address X and routes all traffic to that
system. The first thing it does with any request is does some bounce back,
such as a 503 with a retry after 0 seconds, if the client retries again, at
least the client is doing some work. This often help differentiate good
clients from DDOS attackers. Then the ISP system forwards the request down
the original server but keeps track of where the requests are coming from.
Now the ISP can see that 90% of the request are coming into it's network
from one particular other AS. The ISP can rate limit down the request from
the one AS at the edge of ISP and it can allow the other request from all
the other AS to not be rate limited. This allows valid clients that are
coming from different AS to not be effected, and clients in the same AS as
attacker to be severely rate limited. It takes advantage of the 5xx to
verify that there is a valid client at the sender of a request. This
approach has been used to stop some very large scale DDOS attacks on large
web sites. It works well for HTTP.

Anyways, other protocols have found 5xx with Retry-After one of the best way
to handle temporarily overload on the servers. I agree, if you know
something is a DOS attack, the best thing might be not to respond but it is
very difficult to distinguish which particular request during a DDOS attack
is a bad one and which is good.


Cullen (not as chair)
Received on Wednesday, 14 December 2005 00:00:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT