OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] SAML 2.0 DOS attacks


> Namely, how can and IdP protect against DOS attacks, by 
> restricting allowed authentication requests from certain 
> SP's, when an attacker can easily spoof IP addresses? -- i.e. 
> is there another way, to limit the set of SP's that can 
> initiate user authentication with the IdP?

You could use a local or intermediate packet filter whose policy
restricts access to the IdP from trusted IPs.

An attacker who spoofs a trusted IP address isn't able to mount the more
computationally expensive attacks (eg. TLS-based ones) because the TCP
handshake won't (or shouldn't) complete.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]