Assessing the security of web service frameworks against Denial of Service attacks

Web services frequently provide business-critical functionality over the Internet, being widely exposed and thus representing an attractive target for security attacks. In particular, Denial of Service (DoS) attacks may inflict severe damage to web service providers, including financial and reputation losses. This way, it is vital that the software supporting services deployment (i.e., the web service framework) is able to provide a secure environment, so that the services can be delivered even when facing attacks. In this paper, we present an experimental approach that allows understanding how well a given web service framework is prepared to handle DoS attacks. The approach is based on a set of phases that include the execution of a large number of well-known DoS attacks against a target framework and the classification of the observed behavior. Results show that four out of the six frameworks tested are vulnerable to at least one type of DoS attack, and indicate that even very popular platforms require urgent security improvements.