Securing API against DDoS attacks

Question

I have designed a backend service which is only accessible via a custom REST API. As I understand, services such as CloudFlare are designed to protect HTTPS traffic, and do not apply for custom APIs.

How can I protect my API against DDoS attacks? What services, tools and design considerations should I bear in mind to protect my API service from DDoS attacks?

dupe of https://security.stackexchange.com/questions/114/what-techniques-do-advanced-firewalls-use-to-protect-againt-dos-ddos — Neil McGuigan, Feb 15 '16 at 17:59
@NeilMcGuigan: I want a deep-dive answer into application-specific DDoS mitigations. — Randomblue, Feb 15 '16 at 19:03
"As I understand....". No. A basic CDN service provides caching near the client which does not protect dynamic content, but they will protect against sloloris type attacks. Most CDN's now offer much more sophisticated traffic management options which give you more control and protection. — symcbean, Sep 25 '16 at 01:57
There's a similar question over on stackoverflow: How to stop hack/DOS attack on web API — Luke Quinane, Jun 17 '18 at 03:00

score 1 · Answer 1 · answered Sep 24 '16 at 19:44

I'd suggest to hide your REST API behind a so-called API Gateway. Such components should handle that.

I know that APIGee provides different features (http://docs.apigee.com/api-services/content/comparing-quota-spike-arrest-and-concurrent-rate-limit-policies) that can help to mitigate DDoS attacks.

Securing API against DDoS attacks

1 Answers1