Organizations aren’t slowing down in their use of application programming interfaces (APIs). According to a survey covered by DEVOPSdigest, 61.3% of organizations used more APIs in 2020 than they did a year earlier. An even greater proportion (71.3%) said they plan to use even more APIs in 2021. Another 21.2% expected to use the same number of APIs over the course of the year. But botnet attacks can be a big problem for these. How can you protect yourself while still using the tech you need?
Why Are APIs on the Rise?
The survey findings discussed above highlight the increasing interest in digital growth following the events of 2020. Indeed, Forrester predicted that businesses and agencies will speed up their digital transformation over the course of 2021. One-fifth of them will create digital divisions for the purpose of launching digital products that can help with this, noted Forrester. An even greater percentage (50%) expect to make focusing on the cloud a priority.
They need those APIs to advance in their journeys. As noted by Google, “APIs are the de facto standard for building and connecting modern applications.” They help internal developers to access and reuse data and functionality. They also open their assets up to external developers. This makes it easier to manage, monitor and secure their assets.
Botnet Attacks Target APIs
Organizations can certainly use APIs to secure their digital assets. However, along the way, they need to consider the APIs themselves. Otherwise, they could end up repeating 2020. That’s the year when 98% of organizations witnessed attacks against their applications, according to a study from security firm Radware and Osterman Research.
Various factors contributed to these attacks, but none were as weak as API defenses. Two-fifths of respondents said that over half of their applications exposed them to to the internet or to third-party services via their APIs. Nearly half of survey participants experienced an injection attack and some form of element/attribute manipulation on a monthly basis at 49% and 42%, respectively. Monthly denial-of-service (DoS) attacks were even more prevalent at 55% of cases.
Those DoS attacks stood out in this study, for they were the most common type of botnet attack reported. Of the 82% of respondents that reported botnet attacks against their APIs, 86% said that they suffered a DoS incident. Next on the list came web scraping (84%) and account takeover (75%). Some DoS victims saw an attack only once a month. But plenty of others faced them more often. A third said that those attacks happened weekly. Another 5% said that they faced an attack at least once a day.
Protection Against API Botnet and DoS Attacks
In an API DoS attack, a malicious actor sends requests from multiple clients to overload an API service. Many groups use rate-limiting controls to prevent this from crashing their apps. In response, the attackers use botnets already trained to detect and remain within the confines of those controls. This helps to keep traffic at acceptable levels such that security solutions, such as API management systems and distributed denial-of-service (DDoS) attack prevention tools, don’t raise an alert of something amiss.
That highlights the larger problem of how to manage bot traffic more broadly. In the survey from Radware, under a quarter (24%) of respondents said that they had a specific solution for telling between real users and bots. Just 39% went on to attest that they were confident in knowing what’s going on with malicious botnets.
API Security Meets Botnet Protection
The only way to prepare for botnet attacks on their APIs is to practice API security and bot management. Regarding the former, focus on setting up authentication on APIs. This will help to prevent malicious actors from using botnets to conduct brute password and DoS attacks. They should consider using multi-factor authentication (MFA) as a means of obtaining an access token through an external process like the OAuth protocol. With that scheme in place, defenders can focus on a solution such as a management store. Doing so will help them to automate their processes of keeping their API access tokens safe and secure. In addition, look at measures such as role-based access control to confirm which resources can access an API.
On the bot management side of things, organizations can similarly implement MFA to prevent instances of credential stuffing as well as identity and access management to control which resources are available to which user accounts. Those practices can lay the groundwork for more controls such as CAPTCHAs and cloud-based web application firewalls. The former can help block bots from filling out forms, entering in credentials and/or even connecting to a site. The latter is useful for rooting out botnet attacks based upon their behavior. It can do this even before they even have a chance to interact with their sites.
An Eye Toward the Future
The threats facing APIs are evolving. The growth of artificial intelligence (AI) is helping to fuel the possibility of AI-powered digital attacks. Such incidents could take the form of phishers using machine learning algorithms to generate convincing messages as part of a business email compromise. From there, they can stage a brute force attack against APIs. They could also involve a botmaster using AI-powered software to probe a network so that they can know exactly where they want to strike their intended target.
These emerging threats highlight how some API protection efforts could benefit from working with a trusted vendor. A solution that centralizes security functions in a single gateway will help to provide even more powerful API security as part of a single package.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...