Protecting API endpoints from DDoS Attacks
Hey š
I have a basic(ish) Express API with a handful of GET endpoints, but because itās an API that supports non-human interaction, traditional DDoS protection such as a managed challenge wouldnāt work in protecting malicious actors from DDoSāing my server, and if anything I need to reduce false positives by allowing almost all traffic to hit my origin.
Iāve thought about using Workers and KV to sync my userās API keys and validate them at Cloudflare before hitting my origin, but whilst this would keep my origin online during a DDoS, it would result in me potentially being charged into bankruptcy if I get hit with a major attack (such as billions of requests)
Iāve thought about doing something like implementing a WAF rule to block all requests where the Authorization header doesnāt include a prefix in all the API keys I issue to users, but this is of course super easy to bypass if someone figures it out.
Iāve thought about syncing every API key to WAF as a whitelist and block everything else, but this wouldnāt scale well as the expression for a rule can only be 4096 characters long.
If someone knows a way that I could effectively protect my API, that would be much appreciated š
Iām on the Pro plan btw.
10 Replies
Oh thatās reassuring, thanks for your help Skye!
Just use CF rate limiting
I appreciate the screenshot, thanks!
Iām not the biggest fan of Rate Limiting as my legitimate users are rate limited to 250 requests per second, so the lowest rule in practice would match that, and I suspect that a major distributed attack from various IPs could cause damage before rate limiting does anything.
I think Snippets is the real solution when it comes out. If I can implement a checksum to validate my API keys, I can at least know everyone who gets through is a legitimate customer.
We do that with a our API points. We send a request to our API point and the API key gets registered in our database and directly on cloudflare
@AlphaCentauri did you find a solution?
Hey @macwilko
Not really unfortunately. Trying to accomplish this is basically impossible even with Cloudflare API shield, although that's the closest you could get to perfect protection, but that's an Enterprise product so I can't afford it at the moment.
Snippets would be amazing and will probably be the solution when it comes out (validating our API tokens at the edge should mitigate the risk of illegitimate traffic), but until then we decided to just implement a global block to our API endpoints and our users have to manually whitelist their IPs which is then sync'd with CF.
It's a little more annoying, but it does result in 100% protection - but obviously that solution might not work for you depending on if it's feasible to block all IPs and have a whitelist.
thankyou so much for responding. I'm just starting out here, I'de like to add DDoS protection to an API (graphql) with Cloudflare. Out of the box, cloudflare seems to flag api requests as a bot, quite frequently. I am trying to find a good balance between flagging real bots / threats, and allowing legitimate access.
is mTLS the right way to go here?
for context, the clients accessing the api are mobile and desktop 'apps"
No worries, happy to respond and try to help š
For your use case, mTLS sounds like it'd work, you should be able to relax the rules that are causing false positives and then create an mTLS rule to enforce a valid client certificate
https://developers.cloudflare.com/api-shield/security/mtls/configure/
Configure mTLS Ā· Cloudflare API Shield docs
When you specify API hosts in mTLS authentication, Cloudflare will block all requests that do not have a client certificate for mTLS authentication.
thanks so much! Cloudflare is such a complex product at this stage, but I'm surprised they don't have a simple 'get started' guide, based on use cases.
A simple recommended steps, since people developing API's will have similar challenges.
good to know I'm in the right area here
thankyou leo!