Current industry reports for 2019 regarding Distributed Denial of Service (DDoS) attacks indicate a 776% increase for loads between 100 Gbps and 400 Gbps*. As the demand rises for companies to expose more API’s to the public, it becomes much more important to be able to quickly respond to cybercrime threats and changing tactics. We have recently introduced the feature API Plans in the Layer7 API Developer Portal v4.3.2 so that customers can now dynamically create or modify throttling on API’s across organizations and clusters of API Gateways.
Throttling Best Practices
In my seven years of security consulting for large companies, I have seen a variety of approaches to preventing DDoS and believe that it is critical to have throttling policies in place to protect company applications and systems. This is the most talked about threat in API Management training because it happens often, and trends show threats are on the rise. The frequency was highlighted to me when ironically one student had to leave my class to address a DDoS issue while being taught how to prevent it. Throttling can be applied in many ways but, more importantly, what should the on-going actions to negate the threat to your critical API’s and continuously improve security to prevent business impacts be? Prior to launching into applying throttling, it is very important understand the API’s usage and the system dependencies end-to-end. Some of the best practices to consider when implementing a strategy and continuing to monitor its effectiveness are as follows:
- Define what your critical API’s are and what organizations/partners are most important to your business. Plan to throttle appropriately for your essential business services.
- Understand your peak traffic patterns for API’s and organizations and times of day when these occur.
- Analyze your system resources on the gateways and on the backend so that the throttling protects valuable systems from exceeding system and application limitations. Performance testing and capacity planning should be part of this work.
- Evaluate backend response timeouts on various API’s and factor this into the equation for restricting throughput on any API. This timeout can be manually set per API so this should be part of the SLA tuning to ensure the system and API is reliably returning a response.
- Consider what restrictions are already in place on your firewall and load balancers to ensure the design is complimenting existing strategy with additional protection.
- Decide on what type of throttling (e.g. throttle, blackout period, shape) should be applied for specific consumers to be most effective and least disruptive to throughput and the business.
- Have a system in place to alert when SLA’s are exceeded and capture analytical information on any excessive loads on the system.
- Continually monitor your API throughput and have historical data that allows you to predict anomalies caused by DDoS.
- Continuously monitor and refine your throttling as API traffic demands will change over time.
Protection against DDoS fits nicely into the Layer7 approach of managing the full API Lifecycle, and no company does it as comprehensively and with so many applications as our Layer7 API Management Suite. The new feature of Portal API Plans allows for application of throttling in a user-friendly manner through the user interface and in addition allows access via administrative API’s to control and monitor the runtime production environment. Customers are already utilizing Layer7 Portal API’s in their DevOps processes and this addition will allow companies to be more efficient and respond quicker to cyber threats related to large spikes or growth in the number of API requests.
To adopt an Agile approach to securing and managing your company API’s, there needs to be a deployment strategy and governance of what is being deployed to address risks to the business. This was nicely demonstrated in the 2019 Gartner Catalyst conference where leading Service Providers (Pivotal, AWS, Microsoft, Red Hat and Google) presented the trends in cloud-native architecture and DevOps delivery patterns. One of the key technical points emphasized was the observability and traceability of changes being made to production systems. Taking advantage of a source code repository and deployment API’s to manage security and stability settings with a feature such as API Plans will become increasingly important in the DevOps world.
Following some simple best practices when implementing API Plans and monitoring the results to continuously improve security will help your company to combat the rise of DDoS attacks. Stay tuned for an upcoming YouTube video on how to use the new Layer7 API Developer Portal API Plans feature.