So I’ve got a production ASP c# WebAPI where abuse of the API has stressed other resources, and I would be delighted at any feedback on how others address these or similar issues. The answer to any of it could be calling the customer and asking them to fix their implementions, but I’d like to create controls that disallow the behaviors.
Project is for customers to interact with their data regarding clients – lifecycle is inbound of externally developed leads which are then worked in our application – return data of updated records back to the customer is the outbound. Token based customer access is working fine at controlling authentication and authorization. We’ve run into two general issues – frequency of requests and malformed requests.
[edit – formatting]
Some calls are for static lists of referential data which is fairly slow changing data – easily no updates in a week’s time. These have occasionally been abused with >1x per second call rates by customers. Fix: currently addressing with a authattribute on each method for rate filtering that caches (ip/method/date) with a dynamic expiration in seconds based on the attribute value (allowing for individually determined rate limits)
bad implementations – parameterized APIs for updates like getupdated/01012021/x which is meant to handle ‘get last since [date], last ID received is x’. This restricts batches to a defined number of records and allows ‘get more’ repeat calls to work through a long list in chunks. Have seen some customers implement badly so that calls seem to get stuck on a date in the past and send same params continously – we gladly retrieve the data and return it, all wasted cycles. Fix: currently addressing with a authattribute on targeted methods for spam filtering that caches (ip/method/querystring) with a static expiration in seconds to prevent repeat calls.
Any thoughts appreciated, and Happy New Year.
Setup API Management with something like APIGEE. If you can lock down the endpoints you could also use Azure/AWS API Management
As well as api management tools, to provide QoS to services, maybe also consider internal circuit breakers to ensure you reduce the blast radius when resource limits are reached