BPEL Indirect Flooding
- 1 Attack description
- 2 Attack subtypes
- 3 Prerequisites for attack
- 4 Graphic representation of attack
- 5 Attack example
- 6 Attack mitigation / countermeasures
- 7 Attack categorisation
- 8 References
NOTE: Attack description is copied from 
BPEL Indiect Flooding utilizes the same methodology as presented in the previous section, but the target of the indirect flooding attack is different. The idea of this attack is to use the BPEL engine as an intermediary for an attack on a target system “behind” the BPEL engine. Imagine an architecture as shown in Fig. 2, and think of a BPEL process that repeatedly calls a Web Service provided by the attack target system, for example creating customer accounts with several details.
By flooding the process within the BPEL engine with instantiating attack messages (as shown in the previous section), the BPEL engine will undergo a heavy load itself, but it will reflect an equally heavy load on the target system. Thus, if the target system is not as powerful as the BPEL engine, the backend system will suffer a loss of availability.
Using this attack method, the attacker bypasses any firewall on his direct link to the target system. Even if the target system is not connected to the outside world at all and only communicates with the BPEL engine, the backend system is exposed. Note that this attack method can not be mitigated against using WS-Security or similar approaches becuase the connection between BPEL engine and target system is used in a completely valid and trustful way.
There are no attack subtypes.
Prerequisites for attack
In order for this attack to work the attacker has to have knowledge about the following things:
- Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
- Attacker knows metadata such as WSDL file.
- Attacker can reach endpoint from its location. Access to the attacked web service server is possible for the attacker. This prerequisite is important if the web service is only available to users within a certain network.
Graphic representation of attack
Graphic taken from 
No attack example available/necessary.
Attack mitigation / countermeasures
Mitigating these attacks reuires identification and rejection of attack messages. The complication raised here is that the responsibility for attack prevention is at the BPEL engine, but the impact is on the target system. Thinking of a scenario where a BPEL engine and target system communicate over inter-corporate boundaries, this task may become a political rather than a technical problem. Further, as the workflow may spread over multiple systems hosted by multiple companies, an attack may propagate throughout the system, making it difficult to identify its real entry point.
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
Categorisation by number of involved parties
Categorisation by attacked component in web service architecture
Categorisation by attack spreading
- Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009. -