Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to restrict DOS attack with Web API

Tags:

security

asp.net-web-api

xss

asp.net-mvc-4

I am planning to develop a internet site using MVC4 and Web APi. Its a simple application which will display a customer information based on search.

For Search functionality I am calling webApi using Ajax get method (I know i should be using Post, but consider this is the current implementation).

My Api call is "/api/Data/getSearchResults/?companyName='" + companyName

I feel this piece of line can be used as a DOS attack to bring down my server. Is there way i can use Microsoft Anti-XSS libraries or the ValidateAntiForgeryToken attributes or any other mechanism to ensure that the request are generated from by authentic users and not by any autoBots.

My site has anonymous access enabled.

like image 862
Matt Avatar asked Sep 30 '13 06:09

Matt

People also ask

How do I protect public API from DDoS?

A Web Application Firewall also works to protect your APIs and each API endpoint. These firewalls sit between users and endpoints which can detect and block the types of traffic associated with DDoS attacks.

How DoS attack can be prevented?

For this, it is essential to have multi-level protection strategies that use intrusion prevention and threat management systems. These systems can use anti-spam, content filtering, VPN, firewalls, load balancing, and security layers to spot and block attacks before they overwhelm your network.

Does API gateway protect against DDoS?

The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront.

Can WAF prevent DoS?

AWS WAF is a web application firewall that helps detect and mitigate web application layer DDoS attacks by inspecting traffic inline. Application layer DDoS attacks use well-formed but malicious requests to evade mitigation and consume application resources.

1 Answers

There's a library called WebApiThrottle that defines a ThrottlingHandler you can use to programmatically limit the number of requests per second/minute/hour... based on the IP or other attributes of the caller.

Another option is to act at the IIS level, and of course you can use both to have a better control.

like image 65
mamoo Avatar answered Sep 28 '22 00:09

mamoo
Sign in to Comment

Related questions

How can I restrict access to some PHP pages only from pages within my website?
Tomcat secured static content
Is it possible to resign a signed .net dll with a different key pair?
Understanding 3rd party iframes security?
Does this mean my university is storing passwords insecurely?
How to throttle login attempts - PHP & MySQL & CodeIgniter
How to verify an XML signature in an iOS application?
A list of professionally-useful and safe file types?
What is the recommended approach for encrypting/decrypting large text data in MySQL?
Is it safe to identify OpenID users by email address if the provider is trusted?
How does Timestamp helps in preventing Replay Attacks in webservices
Should I authenticate a user's password for every server request?
Javascript Security: is storing sensitive data in a self invoking function more secure than cookies?
How to secure Redis Cluster?
How to automatically login as a user using Spring Security without knowing their password?
After upgrading to GHC7, all programs suddenly fail saying "Most RTS options are disabled. Link with -rtsopts to enable them."
Hash to create unique URL so that it is difficul to guess valid URLs in lieu of authentication
Develop programs for Arm trust zone
Can I improve the security of MD5 hashed passwords by salting the existing MD5 hash and hash the result using Scrypt or PBKDF2 HMACSHA256?
Form Authentication - Cookie replay attack - protection

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!