on 09-19-2012 4:04 PM
Hello,
is there a possibility to protect a Webservice/SOAP sender adapter against DDOS attacks?
For example to limit the number of access per receiver?
Is there a technical parameter etc. available in PI?
Thanks in advance,
André
HI Andre,
there is the parameter -
MaxRequestContentLength
See the CSS note -
1031733 Http transmission of XI messages with huge payload fails
Regards
Kenny
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi André,
my undersatnding is that there isn't such a parameter. If there was I'm not sure it would be much use as the ICM can't determine which requests are from legitimate senders. If the 'number of requests/time period' parameter's maximum value was reached then what action could it take?
The following online help page may be useful..
Specifying the Maximum Server Threads Acquired by Different Web Resources
DoS attack preventitve measures are better configured at the firewall.
Regards
Kenny
Hi André,
I haven't seen any such parameter in PI to restrict the number of calls or to intelligently categorize a genuine call v/s a DDoS attack. The only minor provision I see is that in order to call soap sender, the external application should have authorization (username/password) to post data to PI.
DDoS are usually tackled at the network level and I am not sure if applications should have that capability.
Regards,
Prateek Raj Srivastava
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Prateek for clarification.
User/PW with SSL or SAML would be a good starter for B2B webservices.
But for public webservices we have the risk to be a victim of those mass attacks.
Ok, should be responsibility of IT/Basis/Network team to detect such attack and block IPs etc...
Any further recommendation is highly appreciated.
Thanks again,
André
>Any further recommendation is highly appreciated.
Your network team can follow some procedures to avoid these type of attacks. They can configure routers in such a way to avoid bulk messages in short span of time from same IP address or avoiding redirect or forwarding the messages to other servers and so. You might want to check this link
Plus you are handling via web service not website. Web service is secured to process only the required operation unlike allowing navigation across web pages on the website.
I dont think we have any such an option, but you can control number of request at sender application.Ask sender application team to send request to PI as per your need but it should not impact Bussines.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.