Mitigating OWASP API Security Risk: Unrestricted Resource Consumption using F5 Distributed Cloud Platform
Introduction:
Unrestricted Resource Consumption vulnerability occurs where an API allows end users to over-utilize resources (e.g., CPU, memory, bandwidth, or storage) without enforcing proper limitations. This can lead to overwhelming of the system, performance degradation, denial of service (DoS) or complete unavailability of the services for valid users.
Attack Scenario:
In this demo, we are going to generate huge traffic and observe the server’s behaviour along with its response time.
Fig 1: Using Apache JMeter to send arbitrary number of requests to API endpoint continuously in very short span of time.
Fig 2: (From left to right) Response time during normal and server with huge traffic.
Above results show higher response time when abnormal traffic is sent to a single API endpoint when compared to normal usage. By further increases in volume, server can become unresponsive, deny requests from real users and result in DoS attacks.
Fig 3: Attackers performing arbitrary number of API request to consume the server’s resources
Customer Solution:
F5 Distributed Cloud (XC) WAAP helps in solving above vulnerability in the application by rate limiting the API requests, thereby preventing complete consumption of memory, file system storage, CPU resources etc. This protects against traffic surge and DoS attacks.
This article aims to provide F5 XC WAAP configurations to control the rate of requests sent to the origin server.
Step by Step to configure Rate Limiting in F5 XC:
These are the steps to enable Rate Limiting feature for APIs and its validation
- Add API Endpoints with Rate Limiter values
- Validation of request rate to violate threshold limit
- Verifying blocked request in F5 XC console
Step 1: Add API Endpoints with Rate Limiter values
- Login to F5 XC console and Navigate to Home > Load Balancers > Manage > Load Balancers
- Select the load balancer to which API Rate Limiting should be applied.
- Click on the menu in Actions column of the app’s Load Balancer and click on Manage Configurations as shown below to display load balancer configs.
Fig 4: Selecting menu to manage configurations for load balancer
- Once Load Balancer configurations are displayed, click on Edit configuration button on the top right of the page.
- Navigate to Security Configuration and select “API Rate Limit” in dropdown of Rate Limiting and click on “Add Item” under API Endpoint section.
Fig 5: Choosing API Rate Limit to configure API endpoints.
Fig 6: Configuring rate limit to API Endpoint
- Rate limit is configured to GET request from API Endpoint “/product/OLJCESPC7Z”.
- Click on Apply button displayed on the right bottom of the screen.
- Click on “Save and Exit” for above configuration to get saved to Load Balancer.
- Validation of request rate to violate threshold limit
Fig 7: Verifying request for first time
Request is sent for the first time after configuring API Endpoint and can be able to see the response along with status code 200.
Upon requesting to the same API Endpoint beyond the threshold limit blocks the request as shown below,
Fig 8: Rate Limiting the API request
- Verifying blocked request from F5 XC console
- From the F5 XC Console homepage, Navigate to WAAP > Apps & APIs > Security and select the Load Balancer.
- Click on Requests to view the request logs as below,
Fig 9: Blocked API request details from F5 XC console
- You can see requests beyond the rate limiter value get dropped and the response code is 429.
Conclusion:
In this article, we have seen that when an application receives an abnormal amount of traffic, F5 XC WAAP protects APIs from being overwhelmed by rate limiting the requests. XC's Rate limiting feature helps in preventing DoS attacks and ensures service availability at all times.
Related Links:
Employee
Employee