APIs (application programming interfaces) have become the cornerstone of most modern, agile software companies. They are driving the shift from monolithic on-premises software to the cloud and microservices-based applications. However, Clouflare goes beyond standard DDoS protection tools.
Smaller function-based components that connect via API are easier to maintain. Developers or individual teams take care of a single element.
There are many reasons why the API economy is booming, of course. However, this proliferation potentially serves attackers with unlimited access to internal systems and company infrastructures. Many companies have hundreds or even thousands of APIs to monitor. Some of them don’t even know they exist. That’s why web infrastructure and security company Cloudflare is introducing new ways to protect endpoint API beyond standard protection tools.
Beyond standard DDoS protection tools
Cloudflare’s new set of API abuse detection tools is made up of several elements. The first part relates to API discovery, with Cloudflare developing a system that creates a trusted API map. It gives companies an accurate picture of their API landscape. With “discovered” APIs, Cloudflare’s attack detection intelligence targets first what it calls “volumetric anomalies.” This sets an API call threshold to handle abuse by guessing how often each route should be legitimately hit.
It’s worth noting that existing security tools can already set “speed limits” to prevent an API from getting “bogged down.” This can help prevent automated bad actors from repeating the same rape tactic. But with so many potential unknown APIs in an enterprise, it is difficult to assign realistic thresholds for each scenario automatically without causing problems. For example, it is easy to set a threshold that blocks an IP after it exceeds 100 requests, but what if these requests are legitimate? Ultimately it all comes down to the purpose of the API. As Cloudflare points out, the problem “calls for a more subjective arbiter”, which Cloudflare is attempting with what it refers to as an “adaptive rate limiting” technique.
Prevention as a starting point
With unsupervised machine learning, Cloudflare can determine which APIs are likely to require frequent calls of an end user and thus establish an appropriate threshold. A sports betting website, for example, might have an API that provides real-time results updates. It may need to be updated several times a minute to ensure that the information is up to date. But this same betting website could also have an API for resetting passwords. An end user is unlikely to make nearly as many calls to that API as they would to match results.
When Cloudflare maps a company’s APIs, establishes unique baselines for each, and predicts the intent of requests as they are made. “If we see 150 sudden attempts to reset a password, our systems immediately suspect an account theft attempt.” Additionally, Cloudflare said it can change the thresholds if, for example, it detects that there should be a good reason for a sudden spike in traffic, such as a major sporting event.
In addition to detecting volumetric anomalies, Cloudflare also applies an additional layer of security referred to as “sequential anomaly detection,” where it determines the most likely or common routes a user can take through a website and flag any deviations. her. For example, a typical sequence could be that a user logs in, verifies himself, and then successfully enters the website. But if any of these steps in a typical procedure are out of sync, Cloudflare sounds the alarm.
Cloudflare’s new API “abuse” detection tools are available through a preview program by request only from existing customers.