Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to restrict DOS attack with Web API

I am planning to develop a internet site using MVC4 and Web APi. Its a simple application which will display a customer information based on search.

For Search functionality I am calling webApi using Ajax get method (I know i should be using Post, but consider this is the current implementation).

My Api call is "/api/Data/getSearchResults/?companyName='" + companyName

I feel this piece of line can be used as a DOS attack to bring down my server. Is there way i can use Microsoft Anti-XSS libraries or the ValidateAntiForgeryToken attributes or any other mechanism to ensure that the request are generated from by authentic users and not by any autoBots.

My site has anonymous access enabled.

like image 862
Matt Avatar asked Sep 30 '13 06:09

Matt


People also ask

How do I protect public API from DDoS?

A Web Application Firewall also works to protect your APIs and each API endpoint. These firewalls sit between users and endpoints which can detect and block the types of traffic associated with DDoS attacks.

How DoS attack can be prevented?

For this, it is essential to have multi-level protection strategies that use intrusion prevention and threat management systems. These systems can use anti-spam, content filtering, VPN, firewalls, load balancing, and security layers to spot and block attacks before they overwhelm your network.

Does API gateway protect against DDoS?

The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront.

Can WAF prevent DoS?

AWS WAF is a web application firewall that helps detect and mitigate web application layer DDoS attacks by inspecting traffic inline. Application layer DDoS attacks use well-formed but malicious requests to evade mitigation and consume application resources.


1 Answers

There's a library called WebApiThrottle that defines a ThrottlingHandler you can use to programmatically limit the number of requests per second/minute/hour... based on the IP or other attributes of the caller.

Another option is to act at the IIS level, and of course you can use both to have a better control.

like image 65
mamoo Avatar answered Sep 28 '22 00:09

mamoo