Strategies for mitigating application DDoS in microservice architectures have just been published in a blog by Netflix. It includes an overview of how to identify requests which trigger these attacks, how to test them with their open source Repulsive Grizzly and Cloudy Kraken frameworks, and finally some best practices for protecting a system from them.
Scott Behrens, ambassador of application security at Netflix, and Bryan Payne, Product and Application Security Lead at Netflix, first point out that microservice architectures are particularly susceptible to application DDoS attacks. This is because expensive API calls can produce multiple network hops around services, effectively causing the system to attack itself:
“A single request in a microservices architecture may generate tens of thousands of complex middle tier and backend service calls“
The first challenge imposed by these application DDoS attacks is identification. How can what looks like a legitimate API call from a user, be detected at the edge as something which will trigger heavy resource utilization internally?
One of the first strategies outlined is identifying how long API calls take. As opposed to looking at the front tier, which may give false positives, it’s more advantageous to monitor request times for back-end services. These requests can then be reverse-engineered in order to determine what sort of original API calls could have triggered it.
When the developer has found these API calls, it’s a process of looking at the request itself and finding out ways it can be made more expensive. The example given is a range parameter in a search request, which can be increased in order to produce a higher result set. Useful indicators of whether the correct request has been identified is through error indicators such as rate-limiting and exceptions, or simply increased latency.
Once these sorts of requests are identified, it’s suggested to use Repulsive Grizzly, an application…