1

You have an open facing Azure API Gateway that can be consumed by anyone and you want to protect yourself from the API being spammed by the same IP or the same individual behind multiple IP's.

There are policies one can configure within API Management to:

Setting limits by subscription (specific consumers) or key (specific apps) wouldn't work because your API is open to the public. Even if you had a key required from auth, this doesn't stop a user from spamming the gateway with an unauthorized key. The last option of restricting caller IP's one-by-one doesn't prevent the issue from happening in the first place.

How do you protect against the same user (IP) repeatedly crushing your rate or quota limits? Additionally, how would you protect against that same user doing this across multiple IP's?

My guess is that this is likely covered in Azure's DDoS Protection Basic but I felt that I couldn't get a concrete answer out of those docs.

8protons
  • 3,591
  • 5
  • 32
  • 67

1 Answers1

2

What you are looking for is included in the Standard version:

DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.

Cost guarantee: Receive data-transfer and application scale-out service credit for resource costs incurred as a result of documented DDoS attacks.

See: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview

Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252
  • How does this block from something like n unauthorized hits? – 8protons Apr 03 '21 at 00:02
  • The first one will block requests after Azure flags them as a DDOS attack. The second one ensures that you do not pay for the load that a DDOS attack generates. – Shiraz Bhaiji Apr 03 '21 at 08:31
  • But what if Azure doesn't recognize it as a DDoS attack because it isn't? Let's say this is a trusted device that has a stale password that is repeatedly hitting the server? – 8protons Apr 05 '21 at 15:32