ShieldSquare is now Radware Bot Manager

ShieldSquare is now Radware Bot Manager

What is an API?

An API (application programming interface) helps interconnect multiple applications or software systems across multiple devices, defines the kinds of calls or requests they can make, how the calls are made, the data formats that should be used, and what conventions should be obeyed. APIs have evolved to become essential interconnections that enable communication between different application architectures, promoting faster integration and deployment of new services. They are also relied upon by software development programs for service provisioning, platform management, and continuous deployment. Modern application architectures, involving mobile devices, cloud data systems, and microservice design patterns require the use of multiple APIs as gateways that facilitate interoperability among diverse web applications.

Api Abuse

The Impact of API Abuse

Vulnerabilities in APIs are abused by cybercriminals and nefarious parties to steal personally identifiable information (PII) and business-critical data, carry out account takeover attacks, and systematically execute website content scraping campaigns. The following are the key API attacks that are carried out by bots:

Application Distributed Denial of Service (DDoS)

APIs can be attacked by hackers and cybercriminals who intentionally overload APIs with large volumes of bot traffic from multiple devices and IP addresses. For enterprises, business-critical services are thus put at risk, such as log-in services, session management, and other services that enable application uptime and availability for users. Attackers who carry out DDoS campaigns often use asymmetrical techniques through which they send small volumes of data to generate API calls, which usually result in servers being heavily overloaded because they have to answer such API calls with much larger volumes of data. Such attacks seriously tie up system resources and greatly increase server response times for all users of the system.

Account Takeover

Hackers deploy botnets to carry out account takeover attacks by programmatically sending API calls to test lists of stolen username and password combinations. Though API management systems do not accept invalid log-in attempts, they are generally not capable of stopping large volumes of bots originating from multiple IP addresses which keep trying out different combinations of credentials in the hope of finding the right log-in credentials. Sophisticated hackers are known to limit the rate at which their bots make API requests so that conventional security systems cannot detect them.

Web Scraping

Competitors, fraudsters and ‘fly by night’ operators who set up websites to defraud consumers often plagiarize an entire website’s content by carrying out systematic scraping campaigns using bots to extract data from APIs. Hackers also try to reverse-engineer web and mobile applications to hijack API calls and carry out scraping attacks.

How to prevent API Abuse

Best practices to protect APIs against abuse:

  • Monitor and manage API calls coming from bots
  • Stop using obsolete and insecure authentication methods
  • Implement measures to prevent API access by sophisticated human-like bots
  • Use robust encryption to safeguard log-in processes
  • Deploy token-based rate limiting equipped with features to limit API access based on the number of IPs, sessions, and tokens
  • Comprehensively log all system requests and responses
  • Scan incoming requests for malicious intent
  • Support clustered API implementation to handle fault tolerance
  • Track the usage and paths taken by API calls to find anomalies

Leading analyst organizations recommend that enterprises should implement effective API security measures. Radware Bot Manager’s Bot Mitigation Solution for APIs ensures you’re your critical business and customer data are protected from automated attacks.

To find out how vulnerable your enterprise APIs, websites and applications are to bot attacks, please request a complimentary Bad Bot Analyzer report.

Powered by Think201