Major Use the following guidelines for restricting the size of incoming messages in services:
- Limit the size of input messages that services accept to protect them against Denial of Service (DoS) attacks.
- If services call other services as part of their operation, make sure the message sizes are within a range. - Some servers allow setting these values in configuration files.
Notes:
- According to NIST 800-95, oversized XML documents can also cause XML parsers to collapse. Configure the server the service is running on to only accept messages up to a certain size.
- This countermeasure might not be required if your architecture is designed in a way that you have low load on your server by using techniques such as DNS or TCP/IP load balancing. Check whether your application is still vulnerable to amplification attacks after using such techniques. If so, then apply the requirements in this countermeasure.
FedRAMP / Moderate Baseline
*_ SC-5: System And Communications Protection | Denial Of Service Protection *_
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].
Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-3-supporting-and-tooling-offering/openshift-zero-trust-workload-identity-manager/tasks/phase/requirements/311-T536/
Training Modules
Defending Web APIs
- relates to
-
SPIRE-193 Analyse and document to Restrict the size of incoming messages in services
-
- Closed
-
- links to
