Protecting API endpoints from DDoS Attacks

Hey šŸ‘‹ I have a basic(ish) Express API with a handful of GET endpoints, but because itā€™s an API that supports non-human interaction, traditional DDoS protection such as a managed challenge wouldnā€™t work in protecting malicious actors from DDoSā€™ing my server, and if anything I need to reduce false positives by allowing almost all traffic to hit my origin. Iā€™ve thought about using Workers and KV to sync my userā€™s API keys and validate them at Cloudflare before hitting my origin, but whilst this would keep my origin online during a DDoS, it would result in me potentially being charged into bankruptcy if I get hit with a major attack (such as billions of requests) Iā€™ve thought about doing something like implementing a WAF rule to block all requests where the Authorization header doesnā€™t include a prefix in all the API keys I issue to users, but this is of course super easy to bypass if someone figures it out. Iā€™ve thought about syncing every API key to WAF as a whitelist and block everything else, but this wouldnā€™t scale well as the expression for a rule can only be 4096 characters long. If someone knows a way that I could effectively protect my API, that would be much appreciated šŸ™ Iā€™m on the Pro plan btw.
10 Replies
AlphaCentauri
AlphaCentauriOPā€¢15mo ago
Oh thatā€™s reassuring, thanks for your help Skye!
Akama Aka
Akama Akaā€¢15mo ago
Just use CF rate limiting
Akama Aka
Akama Akaā€¢15mo ago
No description
AlphaCentauri
AlphaCentauriOPā€¢15mo ago
I appreciate the screenshot, thanks! Iā€™m not the biggest fan of Rate Limiting as my legitimate users are rate limited to 250 requests per second, so the lowest rule in practice would match that, and I suspect that a major distributed attack from various IPs could cause damage before rate limiting does anything. I think Snippets is the real solution when it comes out. If I can implement a checksum to validate my API keys, I can at least know everyone who gets through is a legitimate customer.
Akama Aka
Akama Akaā€¢15mo ago
We do that with a our API points. We send a request to our API point and the API key gets registered in our database and directly on cloudflare
macwilko
macwilkoā€¢15mo ago
@AlphaCentauri did you find a solution?
AlphaCentauri
AlphaCentauriOPā€¢15mo ago
Hey @macwilko Not really unfortunately. Trying to accomplish this is basically impossible even with Cloudflare API shield, although that's the closest you could get to perfect protection, but that's an Enterprise product so I can't afford it at the moment. Snippets would be amazing and will probably be the solution when it comes out (validating our API tokens at the edge should mitigate the risk of illegitimate traffic), but until then we decided to just implement a global block to our API endpoints and our users have to manually whitelist their IPs which is then sync'd with CF. It's a little more annoying, but it does result in 100% protection - but obviously that solution might not work for you depending on if it's feasible to block all IPs and have a whitelist.
macwilko
macwilkoā€¢15mo ago
thankyou so much for responding. I'm just starting out here, I'de like to add DDoS protection to an API (graphql) with Cloudflare. Out of the box, cloudflare seems to flag api requests as a bot, quite frequently. I am trying to find a good balance between flagging real bots / threats, and allowing legitimate access. is mTLS the right way to go here? for context, the clients accessing the api are mobile and desktop 'apps"
AlphaCentauri
AlphaCentauriOPā€¢15mo ago
No worries, happy to respond and try to help šŸ˜„ For your use case, mTLS sounds like it'd work, you should be able to relax the rules that are causing false positives and then create an mTLS rule to enforce a valid client certificate https://developers.cloudflare.com/api-shield/security/mtls/configure/
Configure mTLS Ā· Cloudflare API Shield docs
When you specify API hosts in mTLS authentication, Cloudflare will block all requests that do not have a client certificate for mTLS authentication.
macwilko
macwilkoā€¢15mo ago
thanks so much! Cloudflare is such a complex product at this stage, but I'm surprised they don't have a simple 'get started' guide, based on use cases. A simple recommended steps, since people developing API's will have similar challenges. good to know I'm in the right area here thankyou leo!
Want results from more Discord servers?
Add your server