Firms struggle to deal with API threats, DDoS attacks

Growing use of application programming interfaces (APIs) are giving attackers more ways to break authentication controls, exfiltrate data, or perform disruptive acts, according to a new research report published by Cloudflare on Wednesday. 

APIs provide a key entry point into a company’s most valuable data and sensitive information, making them a huge threat and critical point of vulnerability for companies — for example, OpenAI’s ChatGPT API enables Slack to streamline chat-based workflows, and Booking.com to deliver more personalised trip planning experiences. Failure to protect such APIs can lead to attacks, data breaches, and other security compromises.  

“APIs are challenging to protect from abuse. They require deeper business context, discovery methods, and access verification controls compared to other web application security services,” the report said, adding that those that implement API security without an accurate, real-time picture of their API landscape can unintentionally block legitimate traffic.” 

The study said that APIs outpace other internet traffic, attributing 57% of the Cloudflare-processed internet traffic (dynamic HTTP) to successful API requests. 

Cloudflare that handles 20% of global Internet traffic also observed that many organisations lack a full inventory of their APIs, making them difficult to manage. Nearly 31% more Representational State Transfer (REST) API endpoints, the API location responsible for accepting requests and sending back responses, were discovered by Cloudflare’s machine learning tools than those observed by customer-provided session identifiers. 

According to Cloudflare, apps that have not been managed or secured by the organisation using it — also known as Shadow APIs — are often introduced by developers or individual users to run specific business functions. 

Furthermore, 52% of all API errors processed by Cloudflare were attributed to the error code 429, which is an HTTP status request code for “too many requests”. This is supported by the fact that 33% of API mitigations comprised blocking Distributed Denial of Service (DDoS), in which attackers disrupt the working of servers by flooding traffic on the APIs. 

Other leading API errors included bad requests (err code 400) at 13.8%, not found (err code 404) at 10.8%, and unauthorised (err code 401) at 10.3%. 

In a report published on September 2023, the Computer Emergency Response Team (CERT-In), the nodal agency under Ministry of Electronics and Information Technology found a 62% increase in the number of API attacks on the Indian financial sector in the first half of the year in June 2023 than the previous year.  

A majority of the API attacks, around 57%, was because of security misconfiguration, which happens when security options are not defined in a way that maximises security, or when services are deployed with insecure default settings. It also said, APIs in the Indian financial sector were targeted by distributed DDoS attacks. 

Melinda Marks, Practice Director, Cybersecurity, for Enterprise Strategy Group, said, “APIs are powerful tools for developers to create full-featured, complex applications to serve their customers, partners, and employees, but each API is a potential attack surface that needs to be secured.”  

“As this new report shows, organisations need more effective ways to address API security, including better visibility of APIs, ways to ensure secure authentication and authorisation between connections, and better ways to protect their applications from attacks.”