What is a Large Payload Post Attack?
A Large Payload Post is a class of HTTP DDoS attack where the attacker abuses XML encoding used by webservers. In this type of attack, a webserver is sent a data structure encoded in XML, which the server then attempts to decode, but is compelled to use an excessive amount of memory, thus overwhelming the system and crashing the service.
These types of DDoS attacks are also referred to as “Oversize Payload Attacks” or “Jumbo Payload Attacks."
What Are the Signs of a Large Payload Post Attack?
Large Payload Post attacks occur when web services use a DOM parser to create an in-memory representation of the SOAP message. During this process, the SOAP message size can double, or in some cases, grow as much as 30 times larger. The resulting large documents result in memory exhaustion. Variations of this attack can include over-sized content contained in the header of the SOAP message, in the SOAP body, or in SOAP envelope but outside of the SOAP header and the SOAP body.
Why Are Large Payload Post Attacks Dangerous?
Large Payload Post attacks are primarily dangerous because they are very simple to launch. Also, because attackers must have knowledge about the endpoint of the web service, as well as access to the endpoint, this suggests a vulnerability of the server that can be easily exploited.
How to Mitigate and Prevent a Large Payload Post Attack
The most effective way to prevent a large payload post attack is to simply check the document size prior to parsing. The maximum allowed document size will depend on the type of web service an organization is running.
Another DDoS mitigation method for such an attack is using strict XML schema validation. Every WSDL should contain a comprehensive description of the elements, attributes and data types contained. While a strict schema validation requires considerable resources, it will prevent attacks without limiting the document size.