ADC

XML Denial-of-Service check

The XML Denial of Service (XML DoS or XDoS) check examines incoming XML requests to determine whether they match the characteristics of a denial-of-service (DoS) attack. If there is a match, blocks those requests. The purpose of the XML DoS check is to prevent an attacker from using XML requests to launch a denial-of-service attack on your web server or website.

If you use the wizard or the GUI, in the Modify XML Denial-of-Service Check dialog box, on the General tab you can enable or disable the Block, Log, Statistics, and Learn actions:

If you use the command-line interface, you can enter the following command to configure the XML Denial-of-Service check:

  • set appfw profile <name> -xmlDoSAction [**block**] [**log**] [**learn**] [**stats**] [**none**]

To configure individual XML Denial-of-Service rules, you must use the GUI. On the Checks tab of the Modify XML Denial-of-Service Check dialog box, select a rule and click Open to open the Modify XML Denial-of-Service dialog box for that rule. The individual dialog boxes differ for the different rules but are simple. Some only allow you to enable or disable the rule; others allow you to modify a number by typing a new value in a text box.

Note:

The expected behavior of Learning engine for denial-of-service attack is based on the configured action. If the action is set as “Block”, the engine learns the configured bind value +1 and the XML parsing stops when there is a violation. If the configured action is not set as “Block”, the engine learns the actual incoming violation length value.

The individual XML Denial-of-Service rules are:

  • Maximum Element Depth. Restrict the maximum number of nested levels in each individual element to 256. If this rule is enabled, and the Web App Firewall detects an XML request with an element that has more than the maximum number of allowed levels, it blocks the request. You can modify the maximum number of levels to any value from one (1) to 65,535.

  • Maximum Element Name Length. Restrict the maximum length of each element name to 128 characters. This includes the name within the expanded namespace, which includes the XML path and element name in the following format:

     {http://prefix.example.com/path/}target_page.xml
     <!--NeedCopy-->
    

The user can modify the maximum name length to any value between one (1) character and 65,535.

  • Maximum # Elements. Restrict the maximum number of any one type of element per XML document to 65,535. You can modify the maximum number of elements to any value between one (1) and 65,535.

  • Maximum # Element Children. Restrict the maximum number of children (including other elements, character information, and comments) each individual element is allowed to have to 65,535. You can modify the maximum number of element children to any value between one (1) and 65,535.

  • Maximum # Attributes. Restrict the maximum number of attributes each individual element is allowed to have to 256. You can modify the maximum number of attributes to any value between one (1) and 256.

  • Maximum Attribute Name Length. Restrict the maximum length of each attribute name to 128 characters. You can modify the maximum attribute name length to any value between one (1) and 2,048.

  • Maximum Attribute Value Length. restrict the maximum length of each attribute value to 2048 characters. You can modify the maximum attribute name length to any value between one (1) and 2,048.

  • Maximum Character Data Length. Restrict the maximum character data length for each element to 65,535. You can modify the length to any value between one (1) and 65,535.

  • Maximum File Size. Restrict the size of each file to 20 MB. You can modify the maximum file size to any value.

  • Minimum File Size. Require that each file is least 9 bytes in length. You can modify the minimum file size to any positive integer representing various bytes.

  • Maximum # Entity Expansions. Limit the number of entity expansions allowed to the specified number. Default: 1024.

  • Maximum Entity Expansion Depth. Restrict the maximum number of nested entity expansions to no more than the specified number. Default: 32.

  • Maximum # Namespaces. Limit the number of namespace declarations in an XML document to no more than the specified number. Default: 16.

  • Maximum Namespace URI Length. Limit the URL length of each namespace declaration to no more than the specified number of characters. Default: 256.

  • Block Processing Instructions. Block any special processing instructions included in the request. This rule has no user-modifiable values.

  • Block DTD. Block any document type definitions (DTD) included with the request. This rule has no user-modifiable values.

  • Block External Entities. Block all references to external entities in the request. This rule has no user-modifiable values.

  • SOAP Array Check. Enable or disable the following SOAP array checks:

    • Maximum SOAP Array Size. The maximum total size of all SOAP arrays in an XML request before the connection is blocked. You can modify this value. Default: 20000000.
    • Maximum SOAP Array Rank. The maximum rank or dimensions of any single SOAP array in an XML request before the connection is blocked. You can modify this value. Default: 16.
XML Denial-of-Service check