Free TrialSign In
Decorative Image

Unrestricted Resource Consumption

Executive summary

APIs are integral to modern digital services, but they are increasingly vulnerable to attacks like Unrestricted Resource Consumption, which can cause significant disruptions by overwhelming system resources. These attacks, often resembling Denial of Service (DoS), do not seek to steal data but to incapacitate services by flooding APIs with excessive requests, exhausting resources such as CPU, memory, and bandwidth. This can lead to significant downtime, financial losses, and damage to reputation. To mitigate this risk, businesses must implement robust protections like rate limiting, throttling, and resource management to ensure their APIs remain resilient and available under any circumstances.

Unrestricted Resource Consumption: A Silent Threat to API Security

APIs have become the driving force behind many of today’s most popular services, from social media and online banking to weather apps and e-commerce platforms. But with this growing reliance on APIs comes the increased risk of attacks that target their vulnerabilities. One such attack, often underestimated but highly damaging, is Unrestricted Resource Consumption.

What is Unrestricted Resource Consumption in API Attacks?

Unrestricted Resource Consumption attacks occur when an API is flooded with an excessive number of requests, overwhelming its resources and making the service unavailable to legitimate users. In this type of attack, often referred to as Denial of Service (DoS) or Distributed Denial of Service (DDoS), attackers exploit APIs without proper rate limiting, allowing them to exhaust resources such as CPU, memory, or bandwidth.

These attacks don’t necessarily try to break into the system but instead aim to overload it, causing major disruption and service downtime.

How Do These Attacks Work?

Imagine an API that serves up weather data to users. Under normal circumstances, a user might request updates about local weather conditions a few times a day. However, an attacker could send thousands or even millions of requests in a short period, causing the API server to become overloaded and unable to handle legitimate traffic.

Key points of failure include:

  • CPU/Memory Overload: Each request consumes server resources, and without restrictions, this can lead to exhaustion.
  • Bandwidth Consumption: APIs that return large amounts of data are particularly vulnerable, as attackers can force the server to send data repeatedly, consuming bandwidth.
  • Database Stress: APIs connected to databases are at risk of resource exhaustion as attackers can generate endless database queries.

Now, let’s look at two real-world examples that highlight the devastating impact of these attacks.

Real-World Example 1: GitHub’s Memcached DDoS Attack

In 2018, GitHub, one of the world’s largest code-hosting platforms, experienced a massive DDoS attack that overwhelmed its API. The attack, which peaked at 1.35 terabits per second, was one of the largest recorded at the time. The attackers exploited Memcached, a distributed caching system, to amplify traffic. Memcached was used to generate massive amounts of data in response to a small number of requests.

This attack targeted GitHub’s API infrastructure, overwhelming it with an enormous volume of traffic and consuming its available resources. As a result, GitHub’s services were temporarily unavailable until they quickly mitigated the attack. The incident underscores the importance of having rate limits and traffic control mechanisms to prevent resource consumption attacks.

Lessons Learned: API providers should be vigilant about rate limiting and implementing traffic filtering, especially when dealing with services that could be used to amplify attacks, like caching systems.

Real-World Example 2: Skype API Exploitation

In 2016, Microsoft’s Skype API became the target of a resource consumption attack. The Skype API allowed users to send messages, make calls, and share media, all of which consumed server resources. However, attackers discovered that by flooding the API with message requests, they could overwhelm the system and force it to crash, rendering the service unavailable for legitimate users.

The attack took advantage of Skype’s lack of effective rate limiting on its messaging API. Attackers sent continuous bursts of messages, consuming the available memory and CPU, which eventually caused the Skype service to fail for many users worldwide. This caused widespread disruption, particularly for businesses that relied on Skype for communications.

Lessons Learned: APIs that handle user-generated content or messaging are especially vulnerable to resource consumption attacks and need strong rate limiting, message size restrictions, and API throttling mechanisms in place.

How to Protect Your API from Unrestricted Resource Consumption Attacks

While these real-world examples show just how disruptive these attacks can be, the good news is that they are preventable with the right defenses in place. Here are some key strategies for protecting your APIs:

  1. Rate Limiting Implement rate limiting to control the number of requests a user or client can make in a given period. This prevents attackers from overwhelming your API with excessive traffic. For example, limit users to 100 API calls per minute.
  2. Throttling and Quotas Use throttling to slow down clients who exceed their request limits rather than blocking them entirely. Quotas can also limit the total number of API calls a client can make over a longer time period (daily, weekly, etc.).
  3. Authentication and Authorization Require strong authentication and authorization to ensure only legitimate users can access the API. Assigning different quotas to different types of users (e.g., regular users vs. premium users) can help prioritize traffic and protect resources.
  4. Monitoring and Alerts Set up real-time monitoring for unusual traffic patterns or resource spikes. This will allow your team to respond quickly when an attack is detected.
  5. Load Balancing and Autoscaling Distribute API traffic across multiple servers to prevent overloading any single server. Autoscaling can dynamically allocate resources during high-traffic periods, helping to mitigate the impact of resource consumption attacks.

Conclusion: Don’t Let Your API Fall Victim to Unrestricted Resource Consumption

APIs are the backbone of many online services, but they are also prime targets for attacks like Unrestricted Resource Consumption. These attacks, while subtle, can have significant consequences—ranging from service disruptions and financial losses to reputation damage.

By implementing robust protections like rate limiting, throttling, and resource management, you can keep your APIs secure and ensure they continue to operate smoothly, even under the threat of attack.

Is your API secure? Codesealer offers industry-leading solutions to protect against Unrestricted Resource Consumption attacks and other API vulnerabilities. Learn more about how we can help keep your services up and running, no matter what.

Codesealer Free Trial Available

Take a deep dive into the technology, get in touch with us, or try Codesealer totally free.

We have something for both managers and developers. Click below to find out about what next steps you can take.

Learn More About Codesealer
image saying 'protected by Codesealer'
Privacy Policy
Njalsgade 76, 3rd FloorCopenhagen, Denmark
Codesealer
Our ProductDeployment Options and PricingSee Codesealer in ActionTry It YourselfLearn MoreCodesealer Portal
Features
API EncryptionAPI ConcealmentSecure Code DeliverySeamless IntegrationNo Code ChangesRuntime Protection
Resources
White PapersCybersecurity InsightsDemo VideosAPI Security Best PracticesOWASP Top 10 StandardsPCI DSS v4.0
Company
About UsPrivacy PolicyContact Us