Have I mentioned that web services are starting to scare me!!
DoS Web Service with a Single Packet
Just saw on Bugtraq that you can send a specially crafted SOAP packet that has a modified DTD in it to a Web Service and the XML parser will cause the CPU load to remain at 100% for as long as the process keeps running. Another effect is that memory (hundreds of megabytes) could not be freed, even after the CPU came down from the high load. In some cases, the parser returns an out of memory error after some time.
Nothing like a single packet to DoS your machine. *sigh*
There is a fix for it. Microsoft has released an update to the .NET Framework that fixes this. It is documented in KnowledgeBase article 826231, but this article isn’t actually online yet.
Brian’s Comments: Due to the nature of my work web services are going to remain a prevalent part of my work. In addition we are currently looking into Layer 7 web application firewalls. While they do an excellent job of protecting us from maliciousness web hackers no one currently is protecting or has any idea how to protect web services. Scary proposition considering the news above.