07-Oct-2022 12:39 - edited 22-Jun-2023 21:53
The Introductory article covered brief presentation of OWASP Top 10 Web Application and API Protection (WAAP). This article is continuation of the series and shows mitigating API Vulnerability Lack of Resources and Rate Limiting using F5 Distributed Cloud (F5 XC) WAAP.
API responds with users API request, to generate this response the API requires resources like CPU, memory, RAM etc. These resources consumption is dependent upon logical processing or data returned. Without rate limiting the requests single user or a group of users can make too many requests at once and this causes overwhelming the server’s ability to handle API requests causing system to be vulnerable. These continuous requests can bring an API to unresponsive, slow down the service and in some instances this leads to Denial of Service (DoS).
This vulnerability plays a key role, and it should be considered. Hence this is ranked #4 in 2019 as API security risk Lack of Resources and Rate Limiting.
In this demo we are going to generate huge traffic and observe the server’s behaviour along with its response time.
Fig 1: Using Apache JMeter to send arbitrary number of requests to API endpoint continuously in very short span of time.
Fig 2: (From left to right) Response time during normal and server with huge traffic.
Above results shows higher response time when abnormal traffic is sent to single API endpoint when compared to normal usage. By further increase in volume server can become unresponsive, deny requests from real users and results in DoS attack.
Fig 3: Attackers performing arbitrary number of API request to consume the server’s resources
F5 XC WAAP helps in solving above vulnerability in the application by rate limiting the API requests there by preventing complete consumption of memory, file system storage, CPU resources etc. This protects against traffic surge and DoS attacks.
This article aims to provide F5 XC WAAP configurations to control the rate of requests send to origin server.
These are the steps to enable Rate Limiting feature for APIs and its validation
Step 1: Add API Endpoints with Rate Limiter values
Fig 4: Selecting menu to manage configurations for load balancer
Fig 5: Choosing API Rate Limit to configure API endpoints.
Fig 6: Configuring rate limit to API Endpoint
2. Validation of request rate to violate threshold limit
Fig 7: Verifying request for first time
Request is sent for the first time after configuring API Endpoint and can be able to see the response along with status code 200.
Upon requesting to the same API Endpoint beyond threshold limit blocks the request as shown below,
Fig 8: Rate Limiting the API request
3. Verifying blocked request from F5 XC console
Fig 9: Blocked API request details from F5 XC console
When application receives an abnormal amount of traffic and this may lead to outage, F5 XC WAAP protects APIs from being overwhelmed by rate limiting the requests. This in turn saves the resources from the complete consumption of quota or resource limit. Rate limiting helps in preventing DoS attacks and ensures service availability. With one solution called F5 XC helps customers to less concern about addressing these vulnerabilities by rate limiting for multiple domains/server URLs as well as its endpoints by performing very few configurations in F5 XC console rather than doing independently which in turn saves lot of labour effort.
Related Links:
Nice article but shouldn't the F5 Shape security in most cases detect the bad bot traffic from Jmeter even if the source ip addresses and User-Agent headers are changed (Jmeter supports changing User-Agent headers and most modern bots rotate the source ip addresses and user-agent headers) and block it? Maybe the Rate Limit is as a second option if the Bot is really new and advanced till Shape Security blocks it?
@Nikoolayy1 Jmeter is used here only as a tool to generate traffic so that F5 XC can validate rate limiting feature and supports it. When Shape's Bot defense is enabled it automatically detects and captures the bot traffic.