Over a million developers have joined DZone.

Avoid a DDoS Attack with API Testing

· Integration Zone

Learn how API management supports better integration in Achieving Enterprise Agility with Microservices and API Management, brought to you in partnership with 3scale

[This article was written by Michael Giller.]

Earlier this year I gave a talk to a great audience in Denver at a GlueCon conference.  The topic was on preventing malicious hacking attacks on your APIs.  While the talk mainly focused on scenarios where people actively trying to get unauthorized information from your API through SQL injection, code injection, cross-side scripting (XSS), or incorrect security implementation – the most likely vulnerability of your API is most likely completely unintentional.

Let’s take a scenario where your API is achieving its goals: it’s easy to understand, it’s easy to integrate with and it provides really insightful information.  In this case your API will find its audience and the developers will definitely integrate in great numbers.  To ensure that your API is ready for success, part of your testing practices should ensure that your API will handle this successful load.

In this successful case you can easily run into something that is fully outside of your control: malicious or inexperienced outside developers can create a Distributed Denial of Service (DDoS) attack on your API!

This predicament is exactly where the National Weather Service (NWS) found themselves when an Android application making frequent weather update requests has killed the service, causing automatic weather warnings to fail.  Now, this was likely completely unintentional on the part of the Android app developers.  But, on the day when there were ridiculously hot conditions in the Midwest you bet it was important for NWS to have the service available.

If, at this point, you are asking what you can do to prevent this from happening to you, I personally can offer some suggestions:

  • For your existing APIs, use tests and test cases that hopefully you implemented using SoapUI, you can reuse them to setup a monitor to confirm that your API is still operating as expected and be notified if there are any service disruptions for your API
  • If you are still in the development stages of your API, you can easily simulate real user load with our LoadUI Pro product and the ability to distribute your API load tests to generate traffic from other servers on your network with distributed testing functionality.  You can even distribute these agents up in the cloud to cheaply rent server time and distribute these tests to multiple geographic locations

With the above suggestions in place, you should be in good shape for intentional or accidental DDoS attacks.  You should also be fully ready for surprising growth and popularity of your API!

Unleash the power of your APIs with future-proof API management - Create your account and start your free trial today, brought to you in partnership with 3scale.

Topics:

Published at DZone with permission of Denis Goodwin, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}