What is a Large Payload Post DDoS Attack?

What is a Large Payload Post DDoS Attack?

A Large Payload Post is a class of HTTP DDoS attack where the attacker abuses XML encoding used by webservers. In this type of DDoS attack, a webserver is sent a data structure encoded in XML, which the server then attempts to decode, but is compelled to use an excessive amount of memory, thus overwhelming the system and crashing the service.

These types of DDoS attacks are also referred to as “Oversize Payload Attacks” or “Jumbo Payload Attacks."

What Are the Signs of a Large Payload Post Attack?

What Are the Signs of a Large Payload Post DDoS Attack?

Large Payload Post DDoS attacks occur when web services use a DOM parser to create an in-memory representation of the SOAP message. During this process, the SOAP message size can double, or in some cases, grow as much as 30 times larger. The resulting large documents result in memory exhaustion. Variations of this attack can include over-sized content contained in the header of the SOAP message, in the SOAP body, or in SOAP envelope but outside of the SOAP header and the SOAP body.

Why Are Large Payload Post Attacks Dangerous?

Why Are Large Payload Post DDoS Attacks Dangerous?

Large Payload Post DDoS attacks are primarily dangerous because they are very simple to launch. Also, because attackers must have knowledge about the endpoint of the web service, as well as access to the endpoint, this suggests a vulnerability of the server that can be easily exploited.

How to Mitigate and Prevent a Large Payload Post Attack

How to Mitigate and Prevent a Large Payload Post DDoS Attack

The most effective way to prevent a large payload post DDoS attack is to simply check the document size prior to parsing. The maximum allowed document size will depend on the type of web service an organization is running.

Another DDoS mitigation method for such an attack is using strict XML schema validation. Every WSDL should contain a comprehensive description of the elements, attributes and data types contained. While a strict schema validation requires considerable resources, it will prevent attacks without limiting the document size.

How can NETSCOUT help?

NETSCOUT's Arbor DDoS solution has been protecting the world's largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.

Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.

Arbor Cloud

Tightly integrated, multi-layer DDoS protection

Arbor Edge Defense


Arbor SP/Threat Mitigation System

High Capacity On-Premise Solution for Large Organizations

NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Omnis Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.