Understanding API Connectivity to Resolve App DDoS Attacks

As companies of all sizes across verticals undergo Digital Transformation, they're building new applications and services from multiple sources using APIs to facilitate interactions between new applications and services as well as legacy systems. In today's cloud-first, mobile-first, digital-everything world, the glue that binds it all together is the API. Cloud-based applications, and the business models that they support, rely on an increasingly diverse set of underlying services, tied together through APIs. There are upwards of 18,000 APIs available today according to the ProgrammableWeb directory. Salesforce generates 50 percent of its revenue from APIs, eBay 60 percent and Expedia upwards of 90 percent. From payment processing gateways to supply chain and logistics APIs, these new application ecosystems are tied together with myriad connectors - and hackers have taken notice.

Hiding in relatively plain view are a complex set of API dependencies, directly impacting customer experience, company reputation and, potentially, earnings in a fundamental way. Until recently, organizations have maintained a false sense of security as it pertains to the well-being of this ecosystem of applications and APIs. However, Netflix's Scott Behrens and Bryan Payne all but squashed this notion with a self-inflicted attack on their own servers. The pair brought to light the potential for Application DDoS attacks caused by mass API calls — API requests crafted to look legitimate, but maliciously creating a tidal wave of subsequent requests in the backend with the goal of tying up computing resources.

For IT, network and DevOps teams, these vulnerabilities introduce another dimension of connectivity and availability challenges, making it of the utmost importance to identify API usage in your applications and monitor the performance dependencies of those APIs. To speed up resolution of attacks and outages affecting APIs it is critical to understand and test the performance of the service delivery of application components.

Which APIs Should You Be Monitoring?

The first step is to determine which APIs you should be monitoring. Understanding performance dependencies requires a firm grasp of all the the APIs used on an application-by-application basis. It's possible to identify all of the APIs in a system in several ways: observing domains of objects on web pages, looking at connection logs from application servers, and using Documentation of embedded services.

But here are a few common ones across many sites and services:

  • User Authentication is accomplished with single sign-on APIs and services to detect fraud or abuse.
  • Pricing and merchandising require the complex Integration of many Back-end applications to show an accurate price to a customer.
  • Supply chain and logistics APIs ensure shipping is fulfilled.
  • Payment gateways and billing systems are necessary to transact with your customers.
  • Advertising on media sites relies on APIs to display targeted products, images, descriptions, and reviews in real time.
  • Customer chat, phone, and CRM systems use APIs to integrate with sites, to communicate with your users.

It's worth noting that API endpoints may or may not require authentication, though DDoS attacks can be dangerous in either case. API endpoints are typically doing SSL Encryption, OAuth-based authentication and other mechanisms that require open connections and processing power. DDoS attacks can attempt to interrupt or overwhelm these authentication processes, in addition to the more well known types of volumetric attacks that attempt to flood network links upstream from the API Endpoint.

To better manage DDoS attacks against these APIs, operations teams can put in place Rate Limiting of API requests and network connections, do load testing of the overall environment (network, servers, databases), and use DDoS mitigation services (cloud or appliance-based).

Monitoring External Services, Infrastructure, and APIs

The next step is to collect data for full operational awareness. Here are several key elements to add to a monitoring toolkit:

  1. Actively monitor API servers and infrastructure services.
    Regularly test the reachability, response time, response codes and response payloads of these services. If you're unsure of what to test, cloud providers typically have canary servers or endpoints (here is the list for AWS) which you can target.
  2. Log errors of failed API connections and requests.
    Track these trends over time to understand services that fail under your application load.

Together, these two approaches will offer an understanding of baseline performance and specific issues as they occur. As a bonus, tying both of these methods together with a correlation engine such as Splunk can be an effective way to make sense of seemingly disparate events that are actually related.

Utilizing these approaches and tips will help IT, network and DevOps teams collaborate with external ISPs and mitigation vendors in real-time to resolve any issues. They'll also understand how APIs and service delivery systems were impacted and how DDoS mitigation responses faired. With the proper planning, they'll be well aware of the dependences, understand performance across networks and improve their responses to these new DDoS attacks.

Be sure to read the next Security article: Google, IBM, and Others Introduce Grafeas Open Source API