API Endpoints: The Overlooked DDoS Target

Your API costs $0.50 per request to process. An attacker's request costs $0.0001 to send.

That 5,000x cost asymmetry is why APIs have become the preferred target for sophisticated DDoS attacks. While web pages can be cached and served from CDN edge nodes, API requests often hit your origin servers directly - every single time.

And here's the uncomfortable truth: most organizations protect their marketing website better than their revenue-generating APIs.

91%

of organizations experienced an API security incident in the past year

Why APIs Are Different

Traditional DDoS protection was designed for websites. APIs break those assumptions:

Characteristic	Website	API
Cacheable	Yes (HTML, images, CSS)	Rarely (dynamic responses)
Compute per request	Low (serve static files)	High (database queries, processing)
Request rate from legitimate users	1-10 per minute	10-1000 per minute (mobile apps)
CDN protection	Excellent	Limited (pass-through to origin)
JavaScript challenges	Effective	Breaks API clients
CAPTCHA	Usable	Impossible

The API Attack Surface

Modern API architectures expose multiple attack vectors:

1. Public API Endpoints

Any endpoint documented in your API docs is a known target. Attackers don't need to discover anything - you've published the blueprint.

2. Mobile App APIs

APIs serving mobile apps often have higher rate limits (to handle spotty connections) and less protection (no browser to challenge).

3. Microservices Internal APIs

Service-to-service APIs often have no rate limiting at all. One compromised service can DDoS all the others.

4. GraphQL Endpoints

A single GraphQL query can trigger dozens of database operations. Attackers craft queries that are cheap to send but expensive to resolve.

5. Webhook Receivers

Endpoints that accept callbacks from third parties. Attackers can spoof webhook payloads at scale.

API-Specific Attack Patterns

Pattern 1: Expensive Query Exploitation

Attackers identify endpoints that trigger expensive operations:

Search endpoints with complex filters
Report generation APIs
Bulk export endpoints
Recursive or nested data retrieval

Impact: A few hundred requests can exhaust database connection pools or max out CPU.

Pattern 2: Authentication Endpoint Abuse

Password hashing is CPU-intensive by design
Database lookups for every attempt
Often have higher rate limits "for UX"
SMS/email verification costs money

Impact: Credential stuffing attacks double as DDoS. You pay the compute AND the SMS fees.

Pattern 3: GraphQL Depth Attacks

query EvilQuery {
  user(id: 1) {
    friends {
      friends {
        friends {
          friends {
            posts {
              comments {
                author {
                  friends {
                    # ... infinite nesting
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

Impact: One query can generate thousands of database operations. Your GraphQL server does the multiplication for the attacker.

Pattern 4: Regex Denial of Service (ReDoS)

If your API validates input with regex, certain patterns cause exponential backtracking:

// Vulnerable regex pattern
const emailRegex = /^([a-zA-Z0-9]+)+@[a-zA-Z0-9]+\.[A-Za-z]+$/;

// Malicious input
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!"

Impact: A single request with crafted input can hang a thread for minutes.

Pattern 5: Payload Amplification

Small requests that generate large responses:

List endpoints with no pagination limits
Wildcard searches returning millions of results
Verbose error messages with stack traces

Impact: 100-byte request generates 100MB response. Your bandwidth bill explodes.

Why Traditional DDoS Protection Fails

CDN Limitations

CDNs excel at caching static content. API responses are typically:

Dynamic (user-specific data)
Authenticated (can't cache)
Small but expensive (JSON payloads)

Result: Every API request passes through to your origin.

WAF Blind Spots

WAFs look for malicious payloads. API DDoS attacks use:

Legitimate request formats
Valid authentication tokens
Normal-looking parameters

Result: WAF sees "valid" requests and lets them through.

Bot Detection Challenges

Browser fingerprinting doesn't work when:

Clients are mobile apps (no browser)
Clients are other servers (webhooks)
JavaScript challenges break the API contract

Result: Can't distinguish automated attacks from legitimate automation.

Protecting Your APIs

1. Rate Limiting Done Right

# Good: Multi-dimensional rate limiting
rate_limit:
  global: 10000/minute           # Total API capacity
  per_ip: 100/minute             # Per source IP
  per_user: 500/minute           # Per authenticated user
  per_endpoint:
    /api/search: 10/minute       # Expensive endpoint
    /api/login: 5/minute         # Auth endpoint
    /api/export: 1/hour          # Very expensive

Rate Limit Design Principle

Set limits based on the cost of the endpoint, not the expected usage. Expensive operations get stricter limits.

2. Request Validation

Input size limits: Cap request body size (e.g., 1MB max)
Query complexity limits: For GraphQL, limit depth and breadth
Pagination enforcement: Max page size, require pagination
Timeout enforcement: Kill requests that take too long

# GraphQL complexity limiting
query_complexity_limit: 1000
max_depth: 5
max_aliases: 10
introspection: disabled_in_production

3. API Gateway Protection

Deploy an API gateway that provides:

Authentication validation at the edge
Rate limiting before requests hit backend
Request transformation and validation
Circuit breakers for backend protection
Anomaly detection across all endpoints

4. Backend Resilience

Database connection pooling: Limit max connections
Query timeouts: Kill slow database queries
Async processing: Queue expensive operations
Graceful degradation: Return cached/partial data under load

# Example: Request timeout middleware
async function withTimeout(handler, timeoutMs = 5000) {
  return Promise.race([
    handler(),
    new Promise((_, reject) => 
      setTimeout(() => reject(new Error('Request timeout')), timeoutMs)
    )
  ]);
}

5. Monitoring and Alerting

You can't protect what you can't see. Monitor:

Request rate per endpoint (not just total)
Response time percentiles (P50, P95, P99)
Error rates by type (4xx vs 5xx)
Backend resource utilization
Cost per request (for cloud functions)

Alert on Cost, Not Just Traffic

A slow increase in expensive queries can cost more than a spike in cheap requests. Alert when compute costs per request increase.

API Security Checklist

Use this checklist to assess your API's DDoS resilience:

Authentication: All endpoints require authentication (except truly public ones)
Rate Limiting: Every endpoint has appropriate limits
Input Validation: Size limits, type checking, sanitization
Query Complexity: GraphQL depth/cost limits enforced
Pagination: All list endpoints paginated with max page size
Timeouts: Request and database query timeouts configured
Monitoring: Per-endpoint metrics with anomaly alerting
Circuit Breakers: Backend failures don't cascade
Documentation: Rate limits published in API docs
Testing: Regular load testing includes API endpoints

The Business Case for API Protection

APIs often generate more revenue than websites but receive less security investment. Consider:

API downtime = mobile app outage = lost transactions
Partner API disruption = breach of SLA = penalties
Resource exhaustion = cloud bill spike = margin erosion
Slow APIs = poor user experience = customer churn

"We spend more protecting our marketing site than the APIs that process $50M in daily transactions."
- Anonymous CTO at a Series B startup

Is Your API Protected?

DDactic identifies API vulnerabilities before attackers exploit them. Our automated assessment covers endpoints, rate limits, and backend resilience.

Get an API Assessment

API Security DDoS Rate Limiting GraphQL REST API Microservices Backend Development