API overuse
  • 08 Dec 2022
  • 3 Minutes to read

API overuse

Rate limiting an API protects the API Endpoints and other services from brute-force attacks. You can create multiple rules based on your requirements, or add multiple criteria to the same rule. When you define rate-limit rules, the rules can take the following three actions on threat actors:

  • Block the IP address
  • Suspend the threat actor for some time
  • Send an alert, but do not block the user or the IP address

Creating a rate-limiting rule consists of the following steps: 

  1. Defining the scope of the rule.
  2. Select location type and IP reputation. Both these configurations are optional.
  3. Add a request/response criteria.
  4. Set the static rules.

Define scope

The scope defines how you choose your API Endpoints on which you wish to apply the API overuse rule. You can select one or more than one API to which the rule would apply. Or, you can select a label. When you select a label, the rule applies to all the APIs on which the label is applied. For example, in the screenshot above, the API Overuse rule will all the External API Endpoints. 

Location type and IP reputation

You can optionally select the category to which the location of the IP address belongs to. The location can be one or more than one of the following type: 

  • Anonymous VPN
  • Hosting provider
  • Public Proxy
  • Tor exit node - A Tor exit node is a node in the Tor network from where the traffic enters the public network.
  • Bot

In addition, you can also select the reputation of the IP address. Traceable categorizes the reputation of the IP address as low, medium, high, and critical risk. 

Add request/response criteria

You can add one or more than one request or response criteria to the rule. These criteria can apply to different parts of the request, like:

  • URL
  • Host
  • HTTP method
  • User agent
  • Body
  • Query and Body parameters
  • Cookie
  • Header

Set static rule

To complete the API overuse rule, you need to set a few static rules. These rules define the numerical limits after which the rule triggers. You can also choose the type of even that would be created when the rule is triggered. In the end, select the action that you wish to take when conditions of the rule are violated. 

The compute condition for the numerical value is a combination of whether the value applies to:

  • Per IP address and Per API Endpoint - This means that if an IP address exceeds the set limit for an API Endpoint, then the chosen action would be implemented.
  • Per IP address across all the selected API Endpoints - This means that if an address violates a rule, then the rule is applied across all the endpoints for that IP address.
  • Total requests across all users for an API Endpoint - This means that if you have set a limit of 100 requests in 1 minute and there are 5 users and then if each user sends 20 or more request in a minute, then access to the API Endpoint would be blocked or allowed as per the chosen action.
  • Total requests across all users across all the selected API Endpoints - The rule would trigger if all the users cumulatively exceed the set limit across all the selected API Endpoints.

A threat activity will be generated if the criteria and conditions are matched. For more information on threat activities, see Threat Activity.

Configure event severity

Configure the severity of the generated event when a rule is triggered. These events can be of low, medium, high, or critical severity.

Configure action

Finally, you need to configure the action that you wish to take when a rule is triggered. You can take the following three actions:

  • Block the user indefinitely
  • Block the user for a limited period of time
  • Send an alert that the rule was triggered, however, do not block the user.

Was this article helpful?