Could you please list some strategies or even approaches you have already applied to prevent/protect/minimize DDOS attacks upon Restful Web Services?
Thanks.
Could you please list some strategies or even approaches you have already applied to prevent/protect/minimize DDOS attacks upon Restful Web Services?
Thanks.
Put a HTTP cache like Squid or Varnish in front of your API and put a small max-age header on any resource that you are concerned about. Even having a max-age of 1 second will prevent your API from being hit more than once per second for that resource.
Enabling web caching can mitigate the DoS attack on GET request. But another common type of DoS attack is to send huge amounts of data in an HTTP POST method. To mitigate this type of DoS, it is considered best practice to set the PostTimeoutSecs, MaxPostTimeSecs, MaxPostSize settings in your web server or application server. The parameter names vary across different servers.
That being said, adding web cache and set POST request limit are very rudimentary ways to prevent DoS attack. To get more effectively counter DoS attack, you may consider solutions such as Web Application Firewall. Please visit the OWASP site for list of WAF products on the market including some open source options.
Unless you are a large deployment with a great deal of active users and income, I don't think you can justify anything but basic measures.
Instead, make sure you are confident that you will know in a timely fashion that your system is under attack (by monitoring CPU/Memory/requests-per-second).
If you believe you are under attack, ask whomever hosts your servers to help.
I'd love to hear another opinion, but I think any roll-your-own approach is almost always doomed to failure. Almost no matter what you do, the link provided by upstream can be saturated, meaning sometimes the only person who can do something is upstream of your servers--not you.
Let CDN be a protective shield surrounding your growing set of REST APIs. Here is one example usage.
DDoS attacks leverage weakness in the application which is formed as a result of code anomalies like memory leaks, longer session time, boundary conditions taking high cpu cycles etc. Session time may not be valid here for RESTFul web services as they are considered to have stateless responses. However, following steps may help.
Development/coding perspective
Operations perspective
Infrastructure perspective
© 2022 - 2024 — McMap. All rights reserved.