Forum Discussion

ccraddock_33000's avatar
ccraddock_33000
Icon for Nimbostratus rankNimbostratus
Feb 19, 2019

Restrict inbound API calls using iRule

Dear Dev Central,   We have an externalized "API service" LTM VS that we use for various external service providers to send us call back receipts (Email, Fax, SMS etc). We want to restrict who can...
BIG-IP
iRules
security
ccraddock_33000's avatar
ccraddock_33000
Icon for Nimbostratus rankNimbostratus
Feb 19, 2019

Dave,

 

The business is concerned about the back end Databases being hammered with spoofed API calls. They only want approved sources to be able to make these calls to the API Virtual Server. We initially thought to approach this by trying to restrict the calls using source IP address, but the external service providers (Mailgun, Twilio, etc) were not able to provide those and they advised against it anyway. So I started looking at maybe using static strings in the URI path that the service providers use to make calls to us and sapplying an iRule to the VS that will drop any inbound requests that dont specifically contain the defined URI path expressions. I am just not sure if this is the best approach, or if there were any way a potential attacker could circumvent this control. Obviously if they knew the string they could plug that in and launch an attack but the only ones who know the string are us and the SP. Its kind of like a password in that way.

 

Thanks.