API4:2019 — Lack of resources and rate limiting

The API is not protected against an excessive amount of calls or payload sizes. Attackers can use this for Denial of Service (DoS) and authentication flaws like brute force attacks.

Bombing the API with too many requests or too big payloads can make the API crash, possibly with unexpected results.

Use case

  • Attackers overload the API by sending more requests than it can handle.
  • Attackers send requests at a rate exceeding the API's processing speed, clogging it up.
  • The size of the requests or some fields in them exceed what the API can process.
  • “Zip bombs”, archive files that have been designed so that unpacking them takes excessive amount of resources and overloads the API.

How to prevent

  • Define proper rate limiting.
  • Limit payload sizes.
  • Tailor the rate limiting to be match what API methods, clients, or addresses need or should be allowed to get.
  • Add checks on compression ratios.
  • Define limits for container resources.