cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

protect Webservices against DDOS attacks

former_member110533
Participant

on ‎09-19-2012 4:04 PM

0 Kudos

Hello,

is there a possibility to protect a Webservice/SOAP sender adapter against DDOS attacks?

For example to limit the number of access per receiver?

Is there a technical parameter etc. available in PI?

Thanks in advance,

André

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

kenny_scott
Contributor
‎09-19-2012 4:40 PM
0 Kudos

HI Andre,

there is the parameter -

   MaxRequestContentLength

See the CSS note -

 

1031733 Http transmission of XI messages with huge payload fails

Regards

Kenny

Show replies
Show replies
former_member110533
Participant
‎09-19-2012 4:46 PM
0 Kudos

Hi Kenny,

thanks for that hint.

The note is about the parameter for the "maximum size of a request content length".

In addition, is there also a parameter for the maximum number of requests per time unit?

Cheers,

André

kenny_scott
Contributor
‎09-25-2012 8:22 PM
0 Kudos

Hi André,

my undersatnding is that there isn't such a parameter. If there was I'm not sure it would be much use as the ICM can't determine which requests are from legitimate senders. If the 'number of requests/time period' parameter's maximum value was reached then what action could it take?

The following online help page may be useful..

Specifying the Maximum Server Threads Acquired by Different Web Resources


DoS attack preventitve measures are better configured at the firewall.

Regards

   Kenny

prateek
Active Contributor
‎09-19-2012 4:23 PM
0 Kudos

Hi André,

I haven't seen any such parameter in PI to restrict the number of calls or to intelligently categorize a genuine call v/s a DDoS attack. The only minor provision I see is that in order to call soap sender, the external application should have authorization (username/password) to post data to PI.

DDoS are usually tackled at the network level and I am not sure if applications should have that capability.

Regards,

Prateek Raj Srivastava

Show replies
Show replies
former_member110533
Participant
‎09-19-2012 4:32 PM
0 Kudos

Thanks Prateek for clarification.

User/PW with SSL or SAML would be a good starter for B2B webservices.

But for public webservices we have the risk to be a victim of those mass attacks.

Ok, should be responsibility of IT/Basis/Network team to detect such attack and block IPs etc...

Any further recommendation is highly appreciated.

Thanks again,

André

baskar_gopalakrishnan2
Active Contributor
‎09-19-2012 4:44 PM
0 Kudos

>Any further recommendation is highly appreciated.

Your network team can follow some procedures to avoid these type of attacks. They can configure routers in such a way to avoid bulk messages in short span of time from same IP address or avoiding redirect or forwarding the messages to other servers and so.  You might want to check this link

http://securitymole.wordpress.com/2011/01/28/can-anyone-prevent-a-ddos-attack-bringing-their-systems...

Plus you are handling via web service not website. Web service is secured to process only the required operation unlike allowing navigation across web pages on the website.

rajasekhar_reddy14
Active Contributor
‎09-19-2012 4:18 PM
0 Kudos

I dont think we have any such an option, but you can control number of request at sender application.Ask sender application team to send request to PI as per your need but it should not impact Bussines.

Show replies
Show replies
prateek
Active Contributor
‎09-19-2012 4:24 PM
0 Kudos

Raja, the question was about DDoS attack and not traffic from sender application.

Ask a Question