apidays LIVE Hong Kong - The Open API Economy: Finance-as-a-Service & API Ecosystems Art and Science of Rate Limits for APIs Shahnawaz Backer, Principal Security Advisor at F5 Labs

1. Shahnawaz Backer | Principal Security Advisor
@sbacker27
Art & Science of Rate Limiting API’s

2. API Incidents by Category, 2018-2020
0%
5%
10%
15%
20%
25%
30%
35%

3. 4

4. National Identity
Database
(1.1 Billion)
API
Banks
Services
Utilities
API
Services
API
TRUST

5. Bots/hackers trying
to overwhelm API
endpoints
Maintain quality of
service for partners

6. API
B
API
A
API
C
Scrapers
Bots
Bad Guys
Free Tier
Paid Users
Premium User

7. Backend Application Proxy
Traffic reaches server

8. Unauthenticated
Authenticated
Client Parameters Use Case
Unauthenticated IP Address Location based rate
limits
Authenticated API Keys
JSON Web Tokens
Enforce tiers
Identification – Other Headers Custom use cases
Server Side
Concurrency
Client Side
Self Imposed Throttling

9. Drop Throttle Burst
Instant Drop with HTTP Status code 429Honor the traffic but SLA might not be metEnough resources to sustain

10. Leaky BucketToken Bucket
Fixed Window
Sliding Logs
Sliding Window

11. API
Partners
(Backend)
Customers
Partner
(Services)
Throttle
Drop
Time based limitFree Tier
Intermediate
Premium
Burst

12. API
B
API
A
API
C
API
B
API
A
API
C
- JWT
- Rate Limit
- JWT
- Rate Limit ’
• Rate limit needs to synchronized
• External counter / synchronization

13. API
B
API
A
API
C
API
B
API
A
API
C

14. DNS
API
B
API
A
API
C
API
B
API
A
API
C

15. Essentials for
Business and
Security
Approaches
- Unauthenticated
- Authenticated
- Server Side
Consider Rate
Limit options as
deployments
scale

16. | ©2020 F5 NETWORKS17
- Workshops -
Technical Workshops
14:35 – 15:25
Protecting API Workloads against OWASP Top 10 and Programming Language CVE’s
What’s Next
Join 2 NGINX sessions and
complete a survey at NGINX booth
to win a HK$50 Starbucks eGiftcard!

17. | ©2018 F5 NETWORKS18
We may be isolated, but we are not alone.
We’re in this together.
Thank you!