Datasheet
Chapter 1 Internet Era: E-Commerce 33
solutions try to prevent the attack from taking place by taking precautionary
measures. Reactive solutions, on the other hand, react to a DoS attack and are
generally used to trace the source of the attack. Some examples of preventive solu-
tions are filtering, throttling, location hiding, and intrusion detection. Examples
of reactive solutions include logging, packet marking, and link testing.
QoS
This is an active area of research and several architectures and solutions have
been proposed. Most of these solutions rely on some amount of monitoring and
metering systems, which try to detect the QoS (Quality of Service) levels of the
system and then make decisions to raise the alarms.
Applications
Enumerating a complete application threat model is practically impossible as
it requires enumerating all the possible attack vectors, which in turn results in
a combinatorial explosion of the system-state space. Delineating the exact risk
associated with each threat is similarly meaningless: This is analogous to an
insurance agent saying “You need to tell me exactly when the next earthquake
hits, and identify which buildings will be damaged, and precisely what kind
of damage so I could give you an insurance quote.” Since that’s not possible for
obvious reasons, the best next thing to do is to perform statistical approxima-
tion of the most popular attacks and protect against the top items. The follow-
ing is a list of most common Web application attacks that the cloud computing
infrastructures should protect against. This is by no means a comprehensive
list, as the attack field is dynamically evolving:
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
Insufficient authorization
Information leakage
HTTP response splitting
Content spoofing
Predictable resource location
Open redirects
Brute force
Abuse of functionality
Session fixation
Directory indexing
624463c01.indd 33 3/29/11 2:26:36 AM