Everybody Blocks API Attacks, Right?

December 11, 2023 | by John Dasher

Block API Attacks, the Right Way

Many API security vendors claim to have products that detect and block API attacks. Like many security product categories, a bit of investigation is warranted when reviewing such claims. For example, many of these vendors offer some level of automated bot attack detection but cannot natively block these attacks. They instead rely on other infrastructure like content delivery networks (CDNs) or Web Application Firewalls (WAFs) to mitigate such attacks.

The problem with using CDNs or WAFs to block automated attacks is not that these products are bad. The problem is that this is not the purpose for which they were designed. First, most automated attacks result in hundreds of thousands if not millions of IP addresses being blocked, a load having the potential to cripple or even crash a WAF. Of course, when attackers see their attack being blocked, they re-tool, often shifting to a different batch of IP addresses. This constant influx of additional IPs to block often overwhelms systems not designed for this. Second, the number of WAF rules needed to block based on IP or other expressions will slow down the WAF since it was not designed to handle this use case. Last, the WAF becomes hard to manage. If there are false positives, imagine screening through those lists to remove a handful of IP addresses that belong to legitimate users, akin to finding needles within a massive haystack.

Cequence has been detecting and blocking automated bot attacks against APIs, web, and mobile applications for more than 7 years at some of the world’s largest Fortune and Global 2000 companies. With this on-going experience and the data analysis that comes with it, we know how attackers typically re-tool in response to blocks and use that knowledge to combat current attacks as well as downstream escalations.

I’d be remiss in not mentioning that while Cequence got its start in bot management, we have capabilities across the entire API protection lifecycle – from discovery to testing to detection and response. Our solutions as a whole comprise the Cequence Unified API Protection (UAP) platform, delivering far more value and protection than bot management alone.

Several things set the Cequence Unified API Protection solution apart from other vendors.

  • First, we accurately detect API attacks with an extremely low false positive rate. Our threat detection engine, CQAI, analyzes behavioral intent across API, web, and mobile traffic using patented multi-dimensional machine learning (ML) techniques to fingerprint requests separating malicious from legitimate actions. Fingerprinting significantly contributes to Cequence being agile, responsive, and resilient to adversarial re-tooling. With our low false positive rate, only legitimate API traffic is allowed through to your applications, enabling customers to confidently place the Cequence solution inline, natively blocking attacks in real time.
  • Second, Cequence won’t adversely impact your CDN or WAF, as we’re not trying to make it do something it wasn’t designed for. Many vendors rely on a WAF for attack mitigation which is inefficient, slow, and has been known to crash the WAF as they are simply not built to handle the kind of address volume that a coordinated attack delivers.
  • Third, no application integration is required. We protect your web, mobile, and API applications without needing to integrate JavaScript code or use an SDK to modify your apps. As a result, we deliver organizations more consistent and complete protection.
  • Last, our solution is enterprise-class, elastically scaling to identify and block attacks at the largest and most demanding organizations in the world. Cequence secures more than 8 billion daily API calls and protects more than 3 billion user accounts. A significant percentage of Cequence customers belong to the Fortune 500, a proof point illustrative of our ability to scale for even the largest organizations.

We’d love an opportunity to show you firsthand how we can help you in your API security efforts, putting you in a position to immediately solve today’s challenges while enabling you to easily and quickly respond to tomorrow’s.

John Dasher

Author

John Dasher

VP Product Marketing

Additional Resources