8

I have designed a backend service which is only accessible via a custom REST API. As I understand, services such as CloudFlare are designed to protect HTTPS traffic, and do not apply for custom APIs.

How can I protect my API against DDoS attacks? What services, tools and design considerations should I bear in mind to protect my API service from DDoS attacks?

Randomblue
  • 1,685
  • 3
  • 15
  • 17
  • Googling [api ddos protection](https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&es_th=1&ie=UTF-8#q=api%20ddos%20protection&es_th=1) returns helpful information. – Neil Smithline Feb 15 '16 at 15:42
  • dupe of https://security.stackexchange.com/questions/114/what-techniques-do-advanced-firewalls-use-to-protect-againt-dos-ddos – Neil McGuigan Feb 15 '16 at 17:59
  • @NeilMcGuigan: My question is for APIs specifically. – Randomblue Feb 15 '16 at 18:02
  • @Randomblue The answer is general – Neil McGuigan Feb 15 '16 at 18:04
  • @NeilMcGuigan: I want a deep-dive answer into application-specific DDoS mitigations. – Randomblue Feb 15 '16 at 19:03
  • "As I understand....". No. A basic CDN service provides caching near the client which does not protect dynamic content, but they will protect against sloloris type attacks. Most CDN's now offer much more sophisticated traffic management options which give you more control and protection. – symcbean Sep 25 '16 at 01:57
  • There's a similar question over on stackoverflow: [How to stop hack/DOS attack on web API](https://stackoverflow.com/questions/32575924/how-to-stop-hack-dos-attack-on-web-api) – Luke Quinane Jun 17 '18 at 03:00

1 Answers1

1

I'd suggest to hide your REST API behind a so-called API Gateway. Such components should handle that.

I know that APIGee provides different features (http://docs.apigee.com/api-services/content/comparing-quota-spike-arrest-and-concurrent-rate-limit-policies) that can help to mitigate DDoS attacks.

Nicolas
  • 111
  • 1