0

We have a web service that we want to protect against malicious attacks to make lots of requests to effectively get all the data out of it.

We have some level of protection with tokens that signed and exchanged, but a determined attacker could get these tokens and replay them on requests to our web service.

So I'm thinking the only protection is at the server level. One thought was to implement a request threshold in a specific time interval them block for duration of time, that grows if subsequent requests are made during the blackout period. After repeated attempts, completely blacklist.

However, I hate the idea of custom rolling our own solution and even using IPs at all since one bad user behind a proxy gets everyone else behind that proxy blocked.

What are the best practices for protecting a web service?

Update: To clarify, this is a general question about protection a web service against mass harvesting of data.

TMC
  • 8,088
  • 12
  • 53
  • 72

2 Answers2

0

There are several solutions out there, but this one is nice and secure, IMO. Use X.509 certificate in SOAP headers for authentication at the message level. Here are a few links on the subject:

http://msdn.microsoft.com/en-us/library/ff648643.aspx

http://msdn.microsoft.com/en-us/library/ff648129.aspx

http://www.aspfree.com/c/a/VB.NET/Securing-Web-Services-with-X509-Certificates/

How can I configure WCF to use x509 certificates over the internet?

Community
  • 1
  • 1
Kon
  • 27,113
  • 11
  • 60
  • 86
  • I'm confused on how certificates would provide protection. Couldn't a malicious client pose a legit client and just replay the keys to do the attack? – TMC Apr 12 '11 at 07:40
  • The client has to authenticate each message with a certificate. It's pretty damn hard to "fake" a certificate. :) – Kon Apr 12 '11 at 12:19
  • Still not following. How can an x509 cert secure this? If you trust a client and provision it a certificate to use in subsequent interactions, an attacker can take apart the app to get the cert and use it in another non-sanctioned scenario. IOW, doesn't the x509 cert approach only work if you can secure the cert/keys in something like a TPM on the client? – TMC Apr 16 '11 at 08:31
  • Obviously if the attacker gets a hold of the app and its underlying code, then you're S.O.L. Cert authentication on the message level is meant to protect the message from being intercepted and decoded. – Kon Apr 16 '11 at 11:57
  • Based on my original question, having a cert and trusted client aren't reasonable assumptions. – TMC Apr 16 '11 at 20:59
  • There are no assumptions. If you have a real question with a real problem, then this is one suggested solution. Take it or leave it. – Kon Apr 16 '11 at 21:52
  • Exactly. My comment was added because I down voted it and was giving a reason why. – TMC Apr 18 '11 at 01:18
  • So you down voted a valid solution to your problem? That makes no sense - I can understand if, for whatever reason, you don't feel like taking this path in resolving your problem. But a down vote seems unreasonable to me. Whatever, I won't cry over it, but you're not going to get much help on this site with that attitude. – Kon Apr 18 '11 at 12:20
0

You don't tell us much about the data/service, but I once worked on the design of a system that would detect attacks by looking at patterns of the queries.

dj_segfault
  • 11,957
  • 4
  • 29
  • 37