Backendless is looking really great, but I have the following question. To be clear this has not manifested itself (yet), but I was wondering how this should be handled or how other users are handling this situation.
Eve starts a DDoS against an API running on Backendless. In that case, there are two things that might happen: (1) a high amount of “bad” data (e.g. 1000 new user accounts, made by Eve ) is generated and (2) one could use up all the API calls in the subscription from Backendless. In the latter, one is forced to buy extra. Not a desirable situation.
For a static frontend one can use a CDN or put some caching mechanism in place, but the best way to handle this kind of problem on the backend is less obvious to me.
A couple of things that I came across:
- I saw some posts that suggested to rate limit activity per IP. Sure this is possible, but I don’t think this is solving the right problem. To me this seems like a bad attempt to imitate a real DDoS mitigation service.
- Using an API gateway (AWS seems to have it: Protecting API Endpoints (BP4) - AWS Best Practices for DDoS Resiliency). I have personally never used a service like this. Would this be a good thing to use? First issue would be that the API gateway should be context aware to some extend. Creating 3 user accounts per minute is strange, but requesting real data as a user might be totally normal.
- CDN provider, as the requests will come from an application, this is the result from a “robot” and the CDN will rightfully detect it is not a human. So this does not seem to be the correct solution in this scenario.
I would like to hear how this is problem is supposed to be solved.