For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Protect your AWS API Gateway with F5 BIG-IP WAF

This article will help you deploy an F5 BIG-IP WAF in front of your AWS API Gateway to provide additional security. It shows how to deploy a basic WAF policy to protect your API Gateway, and you can ...
Published Mar 20, 2018
Version 1.0
ASM Advanced WAF
aws
security
Graham_Alderso1's avatar
Graham_Alderso1
Ret. Employee
Mar 23, 2018

Yes, protecting APIs against small scale automation attacks can be challenging. Here's a few recommendations:

 

  1. If you can, implement authorization controls as your first line of defense. APM can support this need with OAuth/JWT natively in v13.1.
  2. Leverage bad actor blacklisting. Once you've identified malicious requests, block the bad actor rather than just the bad requests. If your API is being probed, it's likely they'll be trying invalid requests or something that will be caught by a signature at some point.
  3. If your API is for a mobile app, look at a solution like F5's new Anti-Bot Mobile Application SDK. https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/43.html