DDOS Attacks - Restful Web Services

Question 1

Put a HTTP cache like Squid or Varnish in front of your API and put a small max-age header on any resource that you are concerned about. Even having a max-age of 1 second will prevent your API from being hit more than once per second for that resource.

Question 2

Enabling web caching can mitigate the DoS attack on GET request. But another common type of DoS attack is to send huge amounts of data in an HTTP POST method. To mitigate this type of DoS, it is considered best practice to set the PostTimeoutSecs, MaxPostTimeSecs, MaxPostSize settings in your web server or application server. The parameter names vary across different servers.

That being said, adding web cache and set POST request limit are very rudimentary ways to prevent DoS attack. To get more effectively counter DoS attack, you may consider solutions such as Web Application Firewall. Please visit the OWASP site for list of WAF products on the market including some open source options.

Question 3

Unless you are a large deployment with a great deal of active users and income, I don't think you can justify anything but basic measures.

Instead, make sure you are confident that you will know in a timely fashion that your system is under attack (by monitoring CPU/Memory/requests-per-second).

If you believe you are under attack, ask whomever hosts your servers to help.

I'd love to hear another opinion, but I think any roll-your-own approach is almost always doomed to failure. Almost no matter what you do, the link provided by upstream can be saturated, meaning sometimes the only person who can do something is upstream of your servers--not you.

Question 4

Let CDN be a protective shield surrounding your growing set of REST APIs. Here is one example usage.

Question 5

DDoS attacks leverage weakness in the application which is formed as a result of code anomalies like memory leaks, longer session time, boundary conditions taking high cpu cycles etc. Session time may not be valid here for RESTFul web services as they are considered to have stateless responses. However, following steps may help.

Development/coding perspective

Profile application use cases for memory leaks, especially in negative test case scenarios like exceptions. The longer the resources are in memory the higher is the impact. Release the resources as early as possible.
Respond to negative scenarios on inception of request itself, e.g. a validation of attributes or payload needs to happens well before we do any business logic of database calls. In spring based java app an interceptor will be apt.
Implement structured logs to audit requests which can help in pattern analysis in event of any attacks
For post/put/delete kind of actions, which might be possible only from designated clients(web app/mobile apps etc.) implement captcha(like google Iam not a robot) and validate the captcha token at REST API level before processing request.

Operations perspective

Setup a monitoring and alerts in place for CPU, Memory, Network Traffic, internals of application containers like heap usage etc.

Infrastructure perspective

Add a web application firewall which can identify fake traffic originating from bots and apply some level of controlling the rate the requests
Setup caching, if possible, for get requests using CDN systems for entities which may not change frequently.
Setup auto scaling infrastructure with respect to network traffic, server CPU, Memory etc so that spike in traffic will not be able to bring down any application nodes. Choosing a cloud based infra will help.