How do I prevent DoS and BruteForce attacks directed to a REST service

Question

A RESTful service needs to be secured against

1. DoS (unnecessary requests, etc)
2. Brute-Force (login attempts, etc)

attacks. Are there any meaningful reasons to do that prevention inside the REST service or is it in general considered to be done by a firewall or a lower OSI-Level (e.g. Level 3 -> Router).

My opinion is that the prevention within the REST service itself is much more precise than a firewall or router. Which means that a firewall may only block the client for a certain time after too much requests per time unit. At service side a client can be blocked after three invalid login attempts.

But how do I implement this at the REST service side. Since a REST service doesn't keep any client data, there need to created be a static cache or sth. else. What is the recommended way to install that attack prevention within the REST service?

Answer 1

External software/hardware. Why ? The reason is simple you want to protect your service from to much unnecessary workload, and when the checks are done by your service you are not protecting it, you're just making it worse. So DDoS attacks should be stopped before they reach your service, because when they do they eat up resources.

Of course you can employ multilevel security whereas besides firewall you do some checks by your service, but it should be additional solution not primary. Firewall sw/hw is designed to handle and block to much load, your REST service is not.