350-201 Question #83: Real Exam Question with Answer & Explanation

Question

Options

• ARestrict the number of requests based on a calculation of daily averages. If the limit is exceeded,
• BImplement REST API Security Essentials solution to automatically mitigate limit exhaustion. If the
• CIncrease a limit of replies in a given interval for each API. If the limit is exceeded, block access
• DApply a limit to the number of requests in a given time interval for each API. If the rate is

Explanation

Rate limiting requests per API within a defined time interval is the standard mechanism to defend against DDoS while still accommodating legitimate high-volume traffic from trusted services.

Common mistakes.

• A. Calculating limits based on daily averages does not account for legitimate short-term bursts from trusted services and can incorrectly block valid traffic during peak periods while missing rapid DDoS spikes.
• B. REST API Security Essentials is not a specific recognized standard or product for automated rate limiting, and this option does not address the requirement to accommodate legitimate high-volume requests from trustworthy services.
• C. Increasing the reply limit for each API without a per-interval rate control simply raises the ceiling for abuse without providing real-time protection against DDoS traffic patterns.

Concept tested. API rate limiting for DDoS protection

Reference. https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/

No community discussion yet for this question.