[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SAML 2.0 DOS attacks
I haven’t done any deep research on responding to DOS
attacks at a SAML IdP so take some of this with a grain of salt, but some of
the SAML related kinds of things I think might be useful could include: ·
Validate that the incoming request is reasonably sized *before*
handing it to any parsing module. One of the easiest DOS attacks is to
send large XML messages that get parsed before validation. A
reasonably sized AuthnRequest is pretty small. ·
Validate the SPProviderID is one of the SPs with which the IdP
is willing to federate with (e.g. is in the circle of trust) before doing
anything else with the message ·
Give scheduling preference to incoming requests that come with session
information from the IdP (e.g. they are associated with an existing session at
the IdP via some cookie you stored in the browser) these are less likely to be
part of the DOS attack. ·
If the threat level is increasing at the IdP (e.g. your processing
load at the IdP is getting near DOS stage) you might want to prompt for
successful user authentication prior to signing the message and possibly even
prior to parsing the incoming request as the validation of the credential could
be a much lower cost request/response than dealing with. I wouldn’t
do this as a normal course of business as it could result in less than optimal
user experience, but it may be a good reaction to a concerted attack that will
allow you to still give a reasonable level of service to the users who can
authenticate. And, of course, there’s all the standard DOS prevention
techniques you can use that are not SAML specific (rate limiting, etc.). Conor From: giorgi moniava
[mailto:giorgimoniava@yahoo.com] Hello. I would
like to ask one question if possible. Namely,
how can and IdP protect against DOS attacks, by
restricting allowed authentication requests from certain SP's,
when an attacker can easily spoof IP addresses? -- i.e. is
there another way, to limit the set of SP's that can initiate user authentication
with the IdP? (I don't look at the cases hen one can use IPSec, in order to
prevent spoofing IP addresses-- that's one answer I guess, but I wonder if
there are other ways as well).
Kind
Regards, Giorgi. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]