A Growing Threat: DoS Attacks Against APIs
As more organizations turn to APIs in their digital transformations, there’s an emerging security threat that requires consideration. It’s actually an old threat—the denial of service (DoS) attack—that’s using a different attack vector: APIs.
One of the earliest such attacks hit PayPal in November 2010; the online payment services provider suffered from several critical API errors that eventually forced the company to blog an apology with the line “Sorry—your last action could not be completed.” In June 2012, Amazon Web Services (AWS) was hindered from recovering from a power outage by a huge increase in API errors. The disruption affected millions of users. AWS never publicly commented on the cause of the initial power outage or the subsequent spike in API errors, so it wasn’t clear whether it was an inadvertent API denial of service or a deliberate attack. Regardless, it still significantly impacted AWS operations.
As these API DoS attacks become more common, and as organizations increasingly rely on APIs for their business needs, security professionals should proactively plan to deal with such attacks. Even if an API key (or access token) used for application authentication is disabled, a key can easily be reacquired through a standard browser request. Therefore, invalidating a current access token is not a long-term solution. If a DoS attack is traced back to a specific IP address, then blacklisting that IP address isn't a long-term solution either, because the attacker can easily acquire a new one.
That's why multiple access control methods are necessary. For non-sensitive information, use of API keys might be sufficient. However, to better prevent a DoS attack, the use of HTTPS and more robust authentication mechanisms, including OAuth, mutual (two-way) TLS (transport layer security) authentication, or SAML (security assertion markup language) tokens, are necessary.
Of course, while more robust authentication by the API will help prevent deliberate DoS attacks, organizations also need to prepare for inadvertent DoS attacks. These could result from poorly written APIs, or they could stem from too much of a good thing: an overabundance of customers using the APIs above what the organization’s infrastructure can support. That’s why quota and spike arrest capabilities on your API management platform are also an important capability in preventing DoS attacks.
The bottom line: as your organization makes increasing use of APIs, make sure you’re paying attention to the likelihood of DoS attacks.
For more on API and API infrastructure security, read the free Apigee eBook, “Securing the Digital Enterprise.”