I have a web service which is secured with an SSL EV certificate. Lets say it´s located at:
https://webservice.justawebservice.com/webservice/. Users are able to send messages to this web-service.
When a malicious person obtains possession of this URL, said person can show the WSDL and web the service location. But most importantly, he will be able to send in messages. There is some kind of authentication on the web-service, but only happens when a message is sent in (the message contains an username and password). A malicious person will be able to flood said webservice with loads of messages, which may cause it to go offline.
I want to secure this area, so when said person goes to the link he is asked for some kind of authentication.
What is the best way to do this? (If it’s possible)
Any help is greatly appreciated,
Thanks!
If your objective is to prevent DOS type of attack ‘flooding with requests’ then authentication is not a proper way of doing it as even properly authenticated client could cause flood by nature of not understanding how to use API or by bugs in his code etc.
Proper way IMHO would be to develop some sort of ‘circuit breaker’ pattern in your code (as WS interceptor perhaps) which would look at number of requests coming (either from particular user or from ip address or in total or all of the above) and shortcut call execution by returning the error to the caller, therefore not consuming much of the resources on your system.
This would be a good first step but not a complete guarantee against DOS attack (as your service would still consume resources to accept request and interpret it). Next step would be to try to block such clients on lowest level possible – e.g. on firewall just dropping TCP packets – there are few firewalls packages that simplify this task – e.g. AFP with ddos deflate and so on.