How to restrict DOS attack with Web API

Question

I am planning to develop a internet site using MVC4 and Web APi. Its a simple application which will display a customer information based on search.

For Search funct

Answer 1

By DOS attack I'm assuming you mean an attack on your system where constant requests are made in order to cause depletion of resources due to the constant execution of the company search query against your database.

To help prevent this you could log the remote IP address on every request and throttle the responses so you only serve so many per minute to each IP address. Any requests in addtions could be met by an artificial delay (e.g. Thread.Sleep()). This approach will be more limited against a DDoS attack where the remote IP addresses will be over a wide range, and also assumes your IP address lookup takes less resources than the company search, but it will still help.

MS Anti-XSS would only protect you from Cross Site Scripting and would not protect against DoS/DDoS. An Anti Forgery token would only protect you against Cross Site Request Forgery - even if you had a token, the bot could simply request your page to grab the token and then submit it to your API function.

A CAPTCHA may be another solution, but you would need for them to enter the CAPTCHA code in your webpage, and then validate it in your API web method.

Answer 2

There's a library called WebApiThrottle that defines a ThrottlingHandler you can use to programmatically limit the number of requests per second/minute/hour... based on the IP or other attributes of the caller.

Another option is to act at the IIS level, and of course you can use both to have a better control.

Answer 3

This is a very old question, but I hope this reference helps someone else.

Now we are using 'API Protector .NET' (https://apiprotector.net) to protect our APIs against DoS and DDoS attacks.

It's a library compatible with MVC, WebApi and .NetCore too, that has given us very good results, both in simplicity, but fundamentally in maintainability. With this lib you can protect each function of your API litterally with a single line, and in a very specific way.

As is explained in the website of API Protector .NET:

If you limit your API, in general way, to N requests per IP or per user, it is enough for these N requests can be used to constantly impact the same specific heavy function that can severely slow down the entire service.

“Each function of your API must be restricted in a particular way depending on the normal frequency of use and the cost of processing which that function implies for the server, otherwise you are not protecting your API.”

API Protector .NET allows you to protect each function of your .NET API against DoS and DDoS attacks without effort, in a simple, declarative and maintenable way.

The only negative point is that it costs USD 5, but it gave us what we was looking for at a very low price, unlike the WebApiThrottle library that although it was the first option I tried (because it is free), it ended up being impractical unmaintainable when we wanted to protect different functions in a specific way (which is critical for effective protection, as explained).

API Protector .NET allows to combine different protections (by ip, by user, by role, in general, etc) decorating each function with a single line, which makes it easy to implement and maintain. For a detailed explaination read: https://apiprotector.net/how-it-works

An interesting anecdote is that time ago, when we still protecting our APIs with WebApiThrottle, we did some tests simulating DDoS attacks, with many parallel requests from different hosts, and for some reason, (I think that is due to something related to thread synchronization), bursts of requests came in to the functions, and late with the server already overloaded, the throttling started. This, added to the difficult maintainability, did not give us too much confidence for a solid protection, and that's why we ended up trying this alternative that works well.