Avoid a DDoS Attack with API Testing

  September 02, 2014

Earlier this year I gave a talk to a great audience in Denver at a GlueCon conference.  The topic was on preventing malicious hacking attacks on your APIs.  While the talk mainly focused on scenarios where people actively trying to get unauthorized information from your API through SQL injection, code injection, cross-side scripting (XSS), or incorrect security implementation – the most likely vulnerability of your API is most likely completely unintentional.

Let’s take a scenario where your API is achieving its goals: it’s easy to understand, it’s easy to integrate with and it provides really insightful information.  In this case your API will find its audience and the developers will definitely integrate in great numbers.  To ensure that your API is ready for success, part of your testing practices should ensure that your API will handle this successful load.

In this successful case you can easily run into something that is fully outside of your control: malicious or inexperienced outside developers can create a Distributed Denial of Service (DDoS) attack on your API!

This predicament is exactly where the National Weather Service (NWS) found themselves when an Android application making frequent weather update requests has killed the service, causing automatic weather warnings to fail.  Now, this was likely completely unintentional on the part of the Android app developers.  But, on the day when there were ridiculously hot conditions in the Midwest you bet it was important for NWS to have the service available.

If, at this point, you are asking what you can do to prevent this from happening to you, I personally can offer some suggestions:

  • For your existing APIs, use tests and test cases that hopefully you implemented using SoapUI, you can reuse them to setup a monitor to confirm that your API is still operating as expected and be notified if there are any service disruptions for your API
  • If you are still in the development stages of your API, you can easily simulate real user load with our LoadUI Pro product and the ability to distribute your API load tests to generate traffic from other servers on your network with distributed testing functionality.  You can even distribute these agents up in the cloud to cheaply rent server time and distribute these tests to multiple geographic locations

With the above suggestions in place, you should be in good shape for intentional or accidental DDoS attacks.  You should also be fully ready for surprising growth and popularity of your API!

See also: