Will Web Services aid DOS attacks?
This widely published article basically claims that Web Services will be subject to DOS attacks and claims “UDDI will help your attacker to find any services that have been published within the networked environment and then WSDL will provide the details required to make it work.” Some fairly serious comments. But do they have grounding?
I think this isn’t nearly as “new” of an issue as they make it sound. I think there are two classes of public web service publishers. First there are those who have already been publishing their information on the internet, and are moving to web services for easier programmatic interoperability; these companies already have to deal with DOS attacks on their exposed systems. The other class of service publishers are those who have been publishing their information in some other way (not on a public network), and are moving to web services and the internet. These companies simply have to learn about and deal with the same issues that everyone else on the web has been dealing with for years. A production web services security infrastructure should at least protect your internal business systems from such a DOS attack; as for the edge servers, the same issues apply here as a typical web server exposing business functions.
As for UDDI helping the attackers find the services, I think that’s kind of like publishing your number in the phone book. It might make it easier to find, but a determined attacker is going to find your service anyway.