[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Artifact binding -- Most effective binding against DOS attacks
In reality, I think that the artifact profile will have limited,
if any, impact on DOS attacks. The IDP still has a AuthnRequest
entry point for SSO requests and must process the request as necessary and thus
that interface could still be used for enabling a DOS attack by flooding the
IdP with bazillions of AuthnRequests long before you ever get to the stage of
artifact dereference. At first glance one might think that the artifact profile will
save the IdP from having to generate the signed Assertion since attackers are
not trusted SPs. However, a) in a DOS attack the IdP usually won’t
be generating an assertion anyway since the logins will typically fail, and b) if
the attacker does have good credentials (so the IdP would end up creating a
good authn session and have to generate assertions at some point), they could
still get the assertions to be generated by doing an indirect DOS attack using
a multitude of good SPs and driving the IdP attack through those SPs (the
attacker essentially initiates Authn sessions at the SPs causing the SPs to
flood the IdP with authnRequests & artifact resolutions). So, from a DOS point of view, I think it doesn’t make a
difference. Of course, there are many other good reasons to use the artifact
profile. Conor From: giorgi moniava
[mailto:giorgimoniava@yahoo.com]
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]