Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Avoid a DDoS Attack with API Testing

DZone's Guide to

Avoid a DDoS Attack with API Testing

· Integration Zone
Free Resource

Modernize your application architectures with microservices and APIs with best practices from this free virtual summit series. Brought to you in partnership with CA Technologies.

[This article was written by Michael Giller.]

Earlier this year I gave a talk to a great audience in Denver at a GlueCon conference.  The topic was on preventing malicious hacking attacks on your APIs.  While the talk mainly focused on scenarios where people actively trying to get unauthorized information from your API through SQL injection, code injection, cross-side scripting (XSS), or incorrect security implementation – the most likely vulnerability of your API is most likely completely unintentional.

Let’s take a scenario where your API is achieving its goals: it’s easy to understand, it’s easy to integrate with and it provides really insightful information.  In this case your API will find its audience and the developers will definitely integrate in great numbers.  To ensure that your API is ready for success, part of your testing practices should ensure that your API will handle this successful load.

In this successful case you can easily run into something that is fully outside of your control: malicious or inexperienced outside developers can create a Distributed Denial of Service (DDoS) attack on your API!

This predicament is exactly where the National Weather Service (NWS) found themselves when an Android application making frequent weather update requests has killed the service, causing automatic weather warnings to fail.  Now, this was likely completely unintentional on the part of the Android app developers.  But, on the day when there were ridiculously hot conditions in the Midwest you bet it was important for NWS to have the service available.

If, at this point, you are asking what you can do to prevent this from happening to you, I personally can offer some suggestions:

  • For your existing APIs, use tests and test cases that hopefully you implemented using SoapUI, you can reuse them to setup a monitor to confirm that your API is still operating as expected and be notified if there are any service disruptions for your API
  • If you are still in the development stages of your API, you can easily simulate real user load with our LoadUI Pro product and the ability to distribute your API load tests to generate traffic from other servers on your network with distributed testing functionality.  You can even distribute these agents up in the cloud to cheaply rent server time and distribute these tests to multiple geographic locations

With the above suggestions in place, you should be in good shape for intentional or accidental DDoS attacks.  You should also be fully ready for surprising growth and popularity of your API!

The Integration Zone is proudly sponsored by CA Technologies. Learn from expert microservices and API presentations at the Modernizing Application Architectures Virtual Summit Series.

Topics:

Published at DZone with permission of Denis Goodwin, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}