Post on 22-May-2020
Your APIs Maximize Resiliency, Flexibility, and SecurityLes Waltman@Akamai
IP
TCP
TLS
HTTP
HTML
IP
TCP
TLS
HTTP
REST JSONREST XML
Inside the API CallSampled from a RESTful API. “EtherRain”
Client: HTTP GET https://device.ip:8080/api/4/watering/zone?access_token=8djkj2lkcjbndmk6
API Endpoint: HTTP 200 OKHeaders: Content-Type:Application/jsonResponse Body
Growth of Web API Use: 2014 through 2018
54%
17%
14%
14%
6%
26%
69%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2014 2018
Web Hits by Content Type
Text / HTML Text / XML App / XML App / JSON
83%API
Source: Akamai ESSL Network, SOTI Q1 2019
API calls now dominate overall
web hits
Microservices
PAYMENTS
BILLING
NOTIFICATION
PASSENGER MGMT
DRIVERMGMT
TRIPMGMT
PASSENGERUI
DRIVERUI
$Uber as a Microservice
or
RecapAPI
PAYMENTS
BILLING
NOTIFICATION
PASSENGER MGMT
DRIVERMGMT
TRIPMGMT
PASSENGERUI
DRIVERUI
$Microservice Challenges
or
PAYMENTS
BILLING
NOTIFICATION
PASSENGER MGMT
DRIVERMGMT
TRIPMGMT
PASSENGERUI
DRIVERUI
$Introducing an API Gateway
API Gateway
API Gateway
API Gateway
API Gateway Redundancy
• Operate API Gateway on clustered Appliances/VMs/Containers
• Use a cloud service
API Gateway Scale
DDoS attacks can target the API Gateway at Layer 7 (ie a massive number of authentication attempts)
The API Gateway shouldn’t be a choke point for critical high demand
Legitimate users can mistakenly cause high peaks
The Answer ????
Introducing Akamai’s API Gateway
Turning each of our 240,000 Edge Servers into a API Gateway
• Global quota enforcement and throttling
• JWT and oAuth Authentication• API Key Authorization• Granular cache control• Message validation• API versioning control
API Gateway
API
API
API
API
API
APIAPI
API
API Origin
The benefit of Distributed Scale
How Akamai API Gateway Adds Resiliency
Akamai API Gateway scales API Management functions the same way the platform scales everything else (ie WAF, DDoS Protection, Content Delivery, Image Management, etc.)
MAJOR BENEFIT: When the Edge server is the API Gateway, Akamai can cache authenticated API responses
PAYMENTS
BILLING
NOTIFICATION
PASSENGER MGMT
DRIVERMGMT
TRIPMGMT
PASSENGERUI
DRIVERUI
$A Diverse Architecture
API Gateway
GOOGLEMAPS
APIs Can Get Overwhelmed
Kona Site Defender API GatewayAPI Rate Limiting
What: Protects API end points from DDoS attacks by a malicious adversary
How: Inspecting requests by source IP address and looking at additional request parameters
Granularity: KSD Policy
Each Edge Server functions independently
API Throttling
What: Protects API end points from unintentional abuse by a legitimate user
How: Inspecting requests by API key
Granularity: API Endpoint and HTTP Verb
Edge Servers collaborate together to share data
Solutions
Legitimate Traffic Surges
Fig. 2: Application Overload
Back-end Application
Single Page/ Native Mobile
App
Akamai Edge Server
Fig. 1: Normal Traffic
JSONXML
...
JSONXML
...
Normal Traffic Flow● All API or service call requests are
routed to the application under normal conditions
Single Page/Native Mobile
App
JSONXML
...
Back-end Application
In high demand
Akamai Edge
Server
JSONXML
...
Alternate Asset
--Akamai
NetStorage
During Application Overload● Requests are throttled to the
application● A percentage of requests are served
an alternative non-html response from Akamai netstorage
* Prioritized User Segments will access the application
while others are throttled by serving an alternate asset to all or a percentage of users
How API Prioritization works
Just TOO MUCH Traffic for an API to EVER handle
Let’s talk Security
Web APIs Are A Primary Target For Attackers Today
Web sites & Web APIs share the same (old) attack vectors –but APIs are often unprotected
APIs are more performant and less expensive to attack
compared with traditional web forms
4Xmore Credential
Stuffing attacks on APIs
What could an attack look like?
apis: [Path: “/user/{ _id}” ,- operations: [
- {method: “DELETE”,summary: “Deletes a user”,notes: “ ”,type: “void”,nickname: “delete_Id”,-authorization: {
-oauth2: [- {
scope: “write:_id”,description: ”modify ID in your account”}
]},-parameters: [
-{name: “_id”description: “User id to delete”,required: true,type: “string”,paramType: “path”,alllowMultiple: false
}],
the point of attack
HTTP Method: Are other methods handled correctly?
Oauth 2.0: are tokens enforced and validated correctly?
Is access validated? Are ids sequential? Injection point? , etc.
What if we send multiple? Or none at all?
API-Specific Protection
WAF Rule Inspection
Alert or block JSON/XML
exploits
API Request
Constraints
Positive security model to
block abnormal access
Enhanced Rate
Controls
Defend against API
specific DDoS attacks
Analytics & Reporting
Faster incident
response and better false
positive tuning
NetworkLayer
Protection
IP/Geo Whitelist
and Blacklist
Client Reputation
Reputation controls
35 | Web Application Security | © 2018 Akamai | Confidential
Positive security model:Proven approach delivers zero-day protection against unpublished exploits
WAP
Where do we go from here?● Understand what APIs you have, what information they contain, how they are exposed.
● How is your API traffic routed? Are there efficiencies? What visibility do you have?
● What is your organizations API Management strategy?○ Does it have the necessary scale and redundancy?○ Is it holistic across the entire organization○ How does it impact the flexibility of your APIs?
● Security Review○ Are your APIs protected from web application attacks?○ Do you protect against API DDoS attacks with required granularity?○ Do your mobile APIs require protection from direct access?○ How do you protect against parameter miss-use?