Submit support requests and browse self-service resources.
Following our series on OWASP’s Top API Risks, this blog post examines the topic of rate limiting. Learn what rate limiting is, how it can prevent malicious attacks on your API, and how Akana protects your APIs with or without rate limiting.
Rate limiting applies to the number of calls a user can make to an API within a set time frame. This is used to help control the load that’s put on the system.
Rate limiting helps prevent a user from exhausting the system’s resources. Without rate limiting, it’s easier for a malicious party to overwhelm the system. This is done when the system is flooded with requests for information, thereby consuming memory, storage, and network capacity.
An API that utilizes rate limiting may throttle clients that attempt to make too many calls or temporarily block them altogether. Users who have been throttled may either have their requests denied or slowed down for a set time. This will allow legitimate requests to still be fulfilled without slowing down the entire application.
One of the most common use cases for rate limiting is to block brute force attacks. In a brute force attack, a hacker uses automation to send an endless stream of requests to an API, hoping that eventually one may be accepted. Limiting client access will slow down this attack. At the same time, the receiving system should notice the unexpectedly large number of failed requests and generate alerts so that further action may be taken.
In some cases, a user may accidentally cause a brute attack—a bug may cause repeated failed requests, causing the client to keep trying. Rate limiting would help to force a temporary stop and allow for follow-up action.
Another use case is to prevent a Denial of Service (DoS) attack. DoS attacks occur when a user attempts to slow or shut down an application completely. The user may do this by flooding the API with requests. Multiple users may attempt to overwhelm the system in this way as well; this is known as a Distributed Denial of Service (DDoS) attack.
While rate limiting is a solution for stopping an abundance of requests, there are several other security measures that can be put in place before an attack happens.
Akana offers multiple configurable policies for a customizable API security package. These policies work to verify client identity and reduce overload of requests. Choose from:
These policies are easily added through the developer portal to endpoints and work independently of each other. They ensure that only valid requests are granted. And to make sure that back-end systems can cope with the incoming messages, rate limiting may be applied to either individual clients or as an absolute limit on the API.
While the policies above are mainly preventative measures, there are several options for stopping attacks such as DoS and DDoS in action. The Akana API Gateway makes it easy to monitor activity in real time.
If there is suspicious activity happening, developers can quickly blacklist one or more IP addresses. This prevents those IP addresses from ever interacting with the API. The gateway can also be decommissioned — this will make services unavailable to users, but it will not affect the back-end system at all.
Related Reading >> API Security Best Practices
Keep your API security top-of-mind. See how Akana secures your APIs across the lifecycle. Start your free 30-day trial today.
Request a Trial
Watch a Demo First