XML and HTTP DoS or DDoS attacks both aim to exhaust server resources. EXtensible Markup Language (XML) and HyperText Transfer Protocol (HTTP) are both used extensively in cloud computing web services. Not very much work has been done to ensure security in relation to these protocols; for example, XML requests are implicitly assumed to be legitimate. This means that XML-DoS and HTTP-DoS are among the most serious and destructive kinds of DDoS attack in the cloud. They can be more destructive than the traditional DDoS because these protocols are widely used in cloud computing. Security becomes essential to safeguard cloud platforms from these kinds of attack.
Web services rely on SOAP (Simple Object Access Protocol) to send and receive messages; SOAP uses XML, however, which can be used to carry out XML-DoS attacks, based on three main strategies.
The first involves the use of an oversized payload to deplete the victim’s resources. The second is known as the External Entity DoS attack, in which the server is forced to resolve multiple large external entities (remote XML files) defined within the Document Type Definition (DTD). Many TCP connections must be opened to do this, which necessitates intensive CPU and memory usage. The third is the Coercive Parsing attack, which uses a continuous sequence of opened tags, which exhausts both the CPU and the memory. There are other types of coercive parsing, such as namespace URIs, namespace declarations, a large prefix, or deeply nested XML structures. This attack can only take place, however, if the web service uses a Document Object Model (DOM) parser, which creates a tree representation of the XML document.
SOAP can send and receive XML messages irrespective of the underlying implementation of the application or transport protocol (HTTP, etc.).
An HTTP –DoS involves an attacker sending many arbitrary HTTP requests. HTTP necessarily repeats requests, so a high rate being sent to the server can quickly overwhelm the web service resources. Processing all the requests and cost involved with each one eventually triggers a total denial-of-service. Currently the only defense against an HTTP attack is to restrict the flow rate of HTTP requests coming into the server through deploying a proxy server or requesting the ISP to change the IP address.