Assessing the security of web service frameworks against Denial of Service attacks

• Published in: The Journal of systems and software Vol. 109; pp. 18 - 31
• Main Authors: Oliveira, Rui André, Laranjeiro, Nuno, Vieira, Marco
• Format: Journal Article
• Language: English
• Published: New York Elsevier Inc 01.11.2015; Elsevier Sequoia S.A
• Subjects: Denial of service attacks; Experimental assessment; Internet; Internet service providers; Network security; Security; Studies; Web service frameworks; Web services; Security; Web service frameworks; Experimental assessment
• ISSN: 0164-1212; 1873-1228
• DOI: 10.1016/j.jss.2015.07.006

•An approach to test web service frameworks in the presence of security attacks.•Disclosure of severe failures and dubious behaviors in attacked frameworks.•Application of an easy technique for quantitative analysis of the impact of attacks. Web services frequently provide business–critical functionality over the Internet, being widely exposed and thus representing an attractive target for security attacks. In particular, Denial of Service (DoS) attacks may inflict severe damage to web service providers, including financial and reputation losses. This way, it is vital that the software supporting services deployment (i.e., the web service framework) is able to provide a secure environment, so that the services can be delivered even when facing attacks. In this paper, we present an experimental approach that allows understanding how well a given web service framework is prepared to handle DoS attacks. The approach is based on a set of phases that include the execution of a large number of well-known DoS attacks against a target framework and the classification of the observed behavior. Results show that four out of the six frameworks tested are vulnerable to at least one type of DoS attack, and indicate that even very popular platforms require urgent security improvements.