DEV Community

Discussion on: The API Gateway security risk you need to pay attention to

Collapse
byrro profile image
Renato Byrro • Edited on

Informative post, thanks for sharing Yan!

One question: by using a relatively low rate limit for all endpoints, wouldn't we make it easier for DDoS low and slow attacks? Especially endpoints that have central importance for most or the entire user experience...

Do you think reducing the timeout to a minimum, reasonable level could be an extra measure to mitigate this sort of attack?

Collapse
theburningmonk profile image
Yan Cui Author • Edited on

Thank you :-)

As a best effort to find the "right" rate limits, I tend to combine historical norms (in case of migration projects) + some buffer, or based on business req (e.g. need to support X concurrent users, which translates to X req/s) + some buffer.

It would make the endpoints easier for DOS attacks that aren't caught by WAF (eg. low and slow attacks). But, at least you limit the blast radius to just one endpoint/API, as opposed to ALL the APIs in the region.

Also, if you have more critical endpoints then you can allow a bigger buffer to better handle unexpected spikes in traffic. You should also be more strict about the rate limits for low-priority endpoints.

The alternative is that your critical endpoints that are important to the user experience (which should be protected by some authenticated & authorization mechanism) can be taken offline by an attacker that DDOS a low priority and public endpoint (e.g. the "about us" page).