It’s frustrating to see that sometimes project delivery deadlines are so tight that you neglect the quality of your application development. Thanks to the weak security policies, it’s even worse when your security team can’t detect the damage until it’s too late. To help you out, I want to look at targeted DDoS API attacks and what they do to your application programming interfaces, also known as APIs endpoints.
I will explain to you what DDoS is and the problems it can cause. Next, I’ll walk you through how to check if you’ve been attacked using Wireshark. It is one of the best known network analyzers on the market. I will then show how you can reduce the DDoS API attack surface of your environment. After that, I’ll end with a recap of what we analyzed.
So, let’s start by understanding what the DDoS API is and what it can do for your API endpoints.
What is DDoS and how does it affect your API requests?
Let’s review some API-related concepts and explore what a DDoS attack means.
DDoS stands for distributed denial of service. It consists of stuffing your network connection to your services. These requests, made on layer 7 of the OSI model, are said to be invalid. Layer 7 is also known as the application layer, which floods your server with phantom requests, which in turn creates what is called a botnet. So there are instances where your machine hosts attack a targeted server without your consent. This is another reason to make sure that even your personal computer’s security is more robust.
Now that we’ve looked at a DDoS API, let’s see what an API request is. There are other types of attacks targeting API requests, as shown in this Github repository.
API DDoS attacks focus not only on the server your API is running on, but also on each endpoint of your API service. Your API service is attacked both on the server and on the API service itself in more advanced attacks. This gives drastic results for the health of your API server in the event of a successful attack.
That said, let’s see how to identify a compromised network with Wireshark, a network analyzer.
Spot compromised network traffic with Wireshark
Wireshark is a handy tool for investigating your network. It’s also a versatile tool that you should have on hand if you really want to get into the details of your traffic. Let’s look at an example of a compromised network. Goes here to access the Wireshark log named sec-sickclient.pcapng.
Excerpt from Wireshark’s DDoS logs
The log confirms that requests made by the IP 10.129.211.13 to port 1047 unable to reach server 188.8.131.52 to port 18067.
The first thing to notice is the unusual port number. DDoS attacks typically target non-regular ports. The attacker’s goal is to flood the server with invalid requests, which will compete with valid requests.
Another trick when checking the validity of API calls is to check if the checksum is correct. On the snippet, you can see that the checksum of an invalid request is incorrect – invalid requests like this flood the server, which becomes unresponsive.
Now that you understand what a DDoS API attack is and how to track it down, let’s look at some approaches that help mitigate the attack surface of your services. We’ll start by mitigating your attack surface by filter your upstream traffic requests.
The Filtered Upstream Requests Approach
There are ways to filter your requests. I prefer it contents delivery network. The CDN hides the source code of your application while serving the application layer data with its cached content. It works as an upstream security defense option by filtering requests to your applications and helping your users with cached low-latency data. You may have third-party tools offering CDN solutions, like AWS CloudFront. Nevertheless, it is good to have a minimal response plan before reaching your ISP providers. Having your user-facing services access your web content, such as videos and music, on secure cached storage can also help.
This approach filters traffic before it reaches your network, making it easier to manage your servers. But this approach still needs something more to protect you if your environment is discovered and compromised. Here’s where a jar of honey can help.
The honeypot approach
I find your environment to be the best source of data for your mitigation plan. You will have precise data of your attacks with a malware honeypot which might mock both your front-end and back-end environments.
Your honeypot can work as a rat trap if you deliberately leave any vulnerabilities open to attackers to exploit. It’s a risky game, because your honeypot must be identical to your production environment. Otherwise, you have invited your attackers to explore your environment. But when deployed correctly, it becomes a powerful tool for securing your domain.
A good honeypot can also show how well your defense systems are stopping attacks. Another advantage is that it shows which data should have more security measures.
Even with a honeypot exposed, your network can suffer without it. excellent management of your API requests. To ensure you are covered in this regard, you can limit your network resources.
Limiting your network resources
You can configure your network interface controller to handle the maximum traffic per session. What is called rate limiting can be done by software or hardware. While the former handles the number of concurrent calls, the latter will take care of your switch and router configurations. Rate limiting your network resources gives you confidence that your application is in a healthy state, despite some users experiencing higher latency from your attacked services.
A good response plan has multiple layers of security. Now let’s see how you can benefit from a content delivery network with a honeypot.
How a Malicious Honeypot and CDN Can Improve Your Defenses
As mentioned earlier, the CDN will serve your application layer content, covering only part of your security plan. You can benefit from a honeypot as your first attack surface, and it should be in a controlled environment where your application resides. Your security plan should use a combination of services focused on different application domains, and the safety orientation principle enhances the security of interconnected parts. So, the combination of your CDN and a malware honeypot can help your team enforce the response plan in place, mitigating the slowness and unavailability of your services. This will then give you enough time to iterate your degraded perks more securely, without opening new threats.
Let’s review by checking out the topics we covered today.
DDoS attacks make your environment unstable, and the attacks do this by triggering service calls to a targeted service with invalid requests. Though there is many types of DDoS attackswe often overlook those that focus on the health of your API services.
I suggest reviewing the OWASP API Security Tips. Depending on the flow of data and the accessibility of your services, you can adopt additional measures. The idea is to reduce your attack surface. However, you don’t want to create a black box. The security and usability of your components must be balanced for the adoption of your service by your developers and users.
Traceable AI solutions for API Security are an excellent choice for dynamic vulnerability scanning of your API. They provide a mature infrastructure focused on the observability of your ecosystem. You can verify how Traceable AI works and reach out to team members for their security team to properly secure your digital assets.
This message was written by Daniel Paes. Daniel is a data-driven professional interested in AI for cognitive enhancement. He is an evangelist of security risk and data privacy awareness.
*** This is a syndicated blog from the Security Bloggers Network of Blog written by Daniel Paes. Read the original post at: https://www.traceable.ai/blog-post/api-ddos-attacks