Configuring security for web services

In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host that is connected to the internet.

Settings to prevent DOS attack

Method 1: Load balancer

Using hardware load balancers with an HTTP profile configured is the best method to stop such an attack. Because the load balancer inspects the packets and will forward only those HTTP requests to the web server that is complete. For configuration details, refer to Websphere liberty documentation.

Method 2: Tuning liberty settings

MaxKeepAliveRequests

Maximum number of persistent requests that are allowed on a single HTTP connection if persistent connections are enabled. This parameter can help prevent denial of service attacks when a client tries to hold on to a keep-alive connection.

By default, for Liberty < 21.0.0.6, for HTTP/1.0 and HTTP/1.1 (but not HTTP/2.0), Liberty closes an incoming HTTP keep alive connection after 100 requests. This may cause a significant throughput impact, particularly with TLS. To disable such closure of sockets, maxKeepAliveRequests="-1" is set by default.

This is the default as of Liberty 21.0.0.6 where it allows unlimited connections.

For preventing a DOS attack, you can set the maximum limit and when clients request reaches the limit set it closes that specify connection.

An example of how you code this option in the server.xml file:
<httpOptions maxKeepAliveRequests="150" />

KeepAliveEnabled

Enables persistent connections (HTTP keepalive). If true, connections are kept alive for reuse by multiple sequential requests and responses. If false, connections are closed after the response is sent.

An example of how you code this option in the server.xml file:
<httpOptions KeepAliveEnabled="true" />

Restart of liberty is must after you modify the parameters.

Protect Web Services from a Slowloris DDoS attack

Slowloris is a denial-of-service attack program that allows an attacker to overwhelm a targeted server by opening and maintaining simultaneous HTTP connections between the attacker and the target.

TXSeries® for Multiplatforms provides inbound SOAP XML web services support, allowing CICS® backend applications to be exposed as web services. To support web service functions, the TXSeries installation provides an IBM® WebSphere® Liberty web server profile. IBM WebSphere Liberty is used as a web service interface for inbound web service support in TXSeries.

The following section provides guidelines that help you to ensure that the IBM WebSphere Liberty profile of TXSeries is protected against Slowloris DDoS attack, thereby enhancing the overall security and reliability of a deployment.

To secure IBM WebSphere Liberty profile of TXSeries from Slowloris DDoS attacks, use any of the following methods:
  • Load balancer configuration

    If the setup involves a load balancer in front of the IBM WebSphere Liberty profile of TXSeries, configure the load balancer to handle any Slowloris-style attacks. The load balancer acts as an intermediary between SOAP XML web service clients and Liberty, distributing incoming requests across multiple backend servers.

    By using the hardware load balancers with configured HTTP profiles, only the complete and valid HTTP requests are forwarded to the web server, effectively filtering out the partial requests caused by Slowloris. This approach helps to prevent the attack from overwhelming the server, allowing it to continue serving legitimate traffic. For configuration details, refer to the IBM WebSphere Liberty documentation.

  • Reverse proxy

    You can use a reverse proxy to handle client requests. The reverse proxy can implement various security measures, including request buffering and handling connection timeouts, to mitigate any Slowloris attacks.

  • Web Application Firewall (WAF)

    Deploy a WAF that can detect and block any Slowloris-style attacks. A WAF can analyze incoming traffic, identify suspicious patterns indicative of Slowloris attacks, and block such requests before they reach the application server.

  • Limit concurrent connections

    Implement a limit on the number of concurrent connections that are allowed from a single IP address or source. This helps to prevent an attack from establishing numerous connections and consuming all available server resources.

  • Traffic rate limiting

    Implement rate-limiting mechanisms on the server to restrict the number of requests from a single IP address or source within a specific time frame. This method helps to prevent an attack from sending a pool of requests in a short period.

    Based on the type of deployment environment, server settings can be effectively configured to mitigate the risk of Slowloris attacks. For information about server configuration settings, refer to the security documentation.