CDPSE · Question #298
Which of the following is the BEST control to mitigate a distributed denial of service (DDoS) attack on an application programming interface (API)?
The correct answer is A. Impose rate limiting through quotas and throttling.. Rate limiting via quotas and throttling directly counters DDoS attacks on APIs by restricting the volume of requests any client or source can make in a given period.
Question
Which of the following is the BEST control to mitigate a distributed denial of service (DDoS) attack on an application programming interface (API)?
Options
- AImpose rate limiting through quotas and throttling.
- BLog all API activity.
- CProvide specific training on API security.
- DImplement authentication and authorization.
How the community answered
(27 responses)- A85% (23)
- B4% (1)
- C4% (1)
- D7% (2)
Why each option
Rate limiting via quotas and throttling directly counters DDoS attacks on APIs by restricting the volume of requests any client or source can make in a given period.
DDoS attacks function by overwhelming an API with a volume of requests that exhausts resources such as CPU, memory, or connection pools. Rate limiting enforces request quotas per client, IP, or API key and throttles traffic that exceeds defined thresholds, preventing any single source from monopolizing capacity. This control directly addresses the mechanism of a DDoS attack rather than addressing a different threat vector.
Logging API activity creates an audit trail useful for forensic analysis after an attack but does not reduce the volume of incoming requests or mitigate the impact of a DDoS attack in progress.
Security training improves developer and operator awareness but is not a technical control and cannot mitigate an active volumetric attack against an API.
Authentication and authorization prevent unauthorized users from accessing API resources but do not limit the rate of requests from authenticated sources, leaving the API still vulnerable to volumetric attacks.
Concept tested: API DDoS mitigation using rate limiting and throttling
Source: https://learn.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling
Topics
Community Discussion
No community discussion yet for this question.