DDoS defense in Edge

Distributed denial-of-service (DDoS) attacks are becoming larger and more common. Recent attacks have seen record-setting levels of traffic and predictions are it will continue to get worse. The sheer size of these attacks have caused everyone to re-evaluate their defenses. By using compromised IoT devices, DDoS attacks are now much larger than previously possible.

The goal of DDoS defenses for Apigee is to protect customer APIs in each customer's data center. Apigee Edge Cloud is built to accept large volumes of traffic and be the filter that keeps real requests flowing through to a customer data center and their API interfaces while at the same time dropping malicious traffic, watching for spikes, managing rate limiting, and keeping our customers online through the attack.

Apigee can detect spikes in traffic volume, but we cannot determine if that spike is an attack, a successful campaign, or a new application released to end users. Apigee does not actively look inside of the API calls to determine which calls are legitimate and which are probably attacks. It is possible to look at API calls, but doing so isn't part of Apigee's normal operations. We do not review customer payloads, because that would be a privacy invasion for most traffic, customers, and end users. Apigee doesn't know if a particular spike on Tuesday afternoon is due to an attack or a sudden successful adoption of the customers app and services. Apigee can see the spike, but without additional details and context that are obvious to customers but is not available to Apigee, we would not know how to respond. A worst-case scenario would be if Apigee blocked an attack only to discover it was a major marketing success that Apigee had just killed by blocking the app during its hot period.

How does Apigee approach DDoS defense?

Apigee Edge is a tool in the security toolbox. The tool is available for the customer to configure as needed to block malicious traffic, limit valid but excessive traffic, or process loads faster than the customer's backend can respond and prevent the customer's data center from being overwhelmed. Apigee Edge provides capabilities that allow our customers to create very specific security policies to defend the actual API services behind Apigee. Edge is a defensive layer that can scale as needed to absorb large traffic spikes (such as a DDoS attack) while limiting the impact to the backend (customers' data centers).

Since Apigee does not manage and interrogate the payload of every call for every customer, the ability to identify an attack rests with the customer. But the response to an attack should be coordinated with both the customer and Apigee. Apigee can even involve the cloud provider (GCP or AWS) if needed.

Apigee, GCP, and AWS will not blackhole traffic destined to a customer. If Apigee does determine that the traffic is malicious, we will communicate with the customer and offer to assist. However, because of the scale of Apigee Edge, the simple volume of traffic is not a trigger to block traffic.

Customers can use Edge to create policies that protect against attacks (included DDoS). These policies do not come prebuilt out of the box. That would imply that there is nothing unique about each customer's APIs or data or services. Apigee cannot enable these policies without input from the customer. That would mean Apigee is reviewing the customer's data and making decisions about what is valid and what is not.

Edge is a tool to be used, and it can be used to do the things customers need to defend their APIs. But API defense takes some work by the customer.

The goal is to protect customer API services. That is one of the features and capabilities of Edge Cloud.

Other common questions

Can Apigee do blacklisting of (ip|country|url)?

Yes, if the policy is created, configured, and enabled in Edge within the customer's Edge organization.

Can Apigee detect bots or similar malicious activities?

Apigee offers a bot detection service called Sense.

Should I use a Web Application Firewall in front of Apigee Edge?

There are a few customers who use a third-party WAF in front of Apigee, but it is the exception and not the norm. In discussions with these customers, it is generally done because it is a requirement, not because it is providing value.

Will Apigee blackhole traffic for me?

Apigee will not blackhole traffic destined to a customer. If Apigee can determine that the traffic is malicious, we will communicate with the customer and offer to assist. However, because of the scale of Apigee Edge and our cloud providers (GCP and AWS), the sheer volume of traffic is not a trigger to block traffic.

Detailed DDoS defense information

  1. GCP and AWS offer DDoS assistance at the network level as/when needed (a very large attack).
    • Apigee maintains security contacts at GCP and AWS for escalations and response if GCP or AWS assistance is needed to respond to an attack.
  2. Apigee Edge can be used for implementing policies that protect customer APIs from attack.
    • Rate limiting.
    • Spike arrests.
    • XML payload attack detection.
    • Other policies can be written to defend against specific attacks.
  3. Edge uses auto-scaling as a capability in our defense.
  4. Apigee and the customer (and GCP or AWS) need to work together during a DDoS attack. Open communications are important, and Apigee has security resources on call to our support team at all times.

The first response to a DDoS is to use Apigee Edge to help in the attack: enabling spike arrest, rate limiting, and even blacklisting source IP addresses. There are many tools available within Edge to defend against a DDoS attack.

If the attack is of large enough volume, Apigee can work with the customer to escalate to the appropriate cloud provider for "upstream assistance." Since each DDoS attack is unique, the response will be determined during the attack. However, best practices and details needed to help in the escalation are documented in Denial of Service Attack Mitigation on AWS.

Remember that the key is:

Create a plan for attacks. Don't forget, we are in this together. Customers who suspect they are under attack should immediately request the assistance of Apigee and the cloud providers. Before asking for escalation, gather the following:

  • AWS Account Number
  • IDs of affected resources (instances, IP addresses, load balancers, CloudFront distributions, etc.)
  • Nature of the attack (Increased volume? SYN flood? UDP flood?)
  • If the affected resources are accessible
  • If the sources have anything in common (Same IP? Contiguous IP addresses? Same country?)
  • If the traffic can be blocked using a NACL, Security Group, or black-hole routing without impacting customer traffic
  • The type(s) of traffic you are comfortable to have AWS block

GCP

Apigee uses defenses provided by GCP as stated in the Best Practices for DDoS Protection and Mitigation, such as:

  • Virtual networks
  • Firewall rules
  • Load balancing

AWS

AWS publishes their Best practices for DDoS resiliency and How to prepare for DDoS attacks by reducing your attack surface. Apigee uses several of these that are applicable to our environment:

  • VPC
  • Security groups
  • ACLs
  • Route53
  • Load balancing