top | item 30618343

(no title)

jrkatz | 4 years ago

A basic step for securing a resource intensive API from DDOS attacks and some user impersonation attacks is to rely on a security token in a cookie set in the response to an earlier request. For example, a user may land on a web page and receive a unique, encrypted, short-lived security token cookie that is marked http only (inaccessible to javascript), plus a copy of the token in cleartext. When the user agent later polls an expensive API, it must send the cleartext token as part of the request. Server-side, that's compared to the encrypted copy (received from the cookie) and the expensive call is terminated early if they do not match.

A DDOS attack that relies on a malicious ad or web page directing user agents to poll your expensive API in a loop will no longer work as well, because those user agents will not have the correct security token cookie value, and the attacker is unable to figure out what the correct value is for any given user agent running their malicious code. More sophisticated/expensive attacks are still available, but anything is an improvement.

There are a few ways to skin this cat, so don't refer to the above as a how-to-guide - find a more authoritative voice on best practices than me, please, if you try to implement security like this.

Anyhow, if you want to use an API implementing security like this, you copy the cookies out of your browser and feed them to your program so it can add them to the calls.

discuss

No comments yet.