DDOS Attacks - Restful Web Services
Asked Answered
U

5

13

Could you please list some strategies or even approaches you have already applied to prevent/protect/minimize DDOS attacks upon Restful Web Services?

Thanks.

Unwritten answered 18/1, 2014 at 0:41 Comment(0)
W
15

Put a HTTP cache like Squid or Varnish in front of your API and put a small max-age header on any resource that you are concerned about. Even having a max-age of 1 second will prevent your API from being hit more than once per second for that resource.

Wilser answered 24/1, 2014 at 5:39 Comment(1)
While this offers basic protection, a large DDOS network may easily have a couple of thousand nodes. A better approach would be to limit the requests per source IP to sensible values, blocking IPs which exceed this burst limit more than a couple of times in a row.Chuchuah
H
10

Enabling web caching can mitigate the DoS attack on GET request. But another common type of DoS attack is to send huge amounts of data in an HTTP POST method. To mitigate this type of DoS, it is considered best practice to set the PostTimeoutSecs, MaxPostTimeSecs, MaxPostSize settings in your web server or application server. The parameter names vary across different servers.

That being said, adding web cache and set POST request limit are very rudimentary ways to prevent DoS attack. To get more effectively counter DoS attack, you may consider solutions such as Web Application Firewall. Please visit the OWASP site for list of WAF products on the market including some open source options.

Homan answered 27/1, 2014 at 20:49 Comment(0)
H
7

Unless you are a large deployment with a great deal of active users and income, I don't think you can justify anything but basic measures.

Instead, make sure you are confident that you will know in a timely fashion that your system is under attack (by monitoring CPU/Memory/requests-per-second).

If you believe you are under attack, ask whomever hosts your servers to help.

I'd love to hear another opinion, but I think any roll-your-own approach is almost always doomed to failure. Almost no matter what you do, the link provided by upstream can be saturated, meaning sometimes the only person who can do something is upstream of your servers--not you.

Hydrastinine answered 18/1, 2014 at 1:7 Comment(0)
K
3

Let CDN be a protective shield surrounding your growing set of REST APIs. Here is one example usage.

Kellerman answered 13/6, 2016 at 1:29 Comment(0)
T
1

DDoS attacks leverage weakness in the application which is formed as a result of code anomalies like memory leaks, longer session time, boundary conditions taking high cpu cycles etc. Session time may not be valid here for RESTFul web services as they are considered to have stateless responses. However, following steps may help.

Development/coding perspective

  • Profile application use cases for memory leaks, especially in negative test case scenarios like exceptions. The longer the resources are in memory the higher is the impact. Release the resources as early as possible.
  • Respond to negative scenarios on inception of request itself, e.g. a validation of attributes or payload needs to happens well before we do any business logic of database calls. In spring based java app an interceptor will be apt.
  • Implement structured logs to audit requests which can help in pattern analysis in event of any attacks
  • For post/put/delete kind of actions, which might be possible only from designated clients(web app/mobile apps etc.) implement captcha(like google Iam not a robot) and validate the captcha token at REST API level before processing request.

Operations perspective

  • Setup a monitoring and alerts in place for CPU, Memory, Network Traffic, internals of application containers like heap usage etc.

Infrastructure perspective

  • Add a web application firewall which can identify fake traffic originating from bots and apply some level of controlling the rate the requests
  • Setup caching, if possible, for get requests using CDN systems for entities which may not change frequently.
  • Setup auto scaling infrastructure with respect to network traffic, server CPU, Memory etc so that spike in traffic will not be able to bring down any application nodes. Choosing a cloud based infra will help.
Ticon answered 20/2, 2018 at 18:37 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.