You can become a serverless blackbelt. Enrol to my 4-week online workshop Production-Ready Serverless and gain hands-on experience building something from scratch using serverless technologies. At the end of the workshop, you should have a broader view of the challenges you will face as your serverless architecture matures and expands. You should also have a firm grasp on when serverless is a good fit for your system as well as common pitfalls you need to avoid. Sign up now and get 15% discount with the code yanprs15!
When you deploy an API to API Gateway, throttling is enabled by default in the stage configurations.
By default, every method inherits its throttling settings from the stage.
Having built-in throttling enabled by default is great. However, the default method limits – 10k req/s with a burst of 5000 concurrent requests – matches your account level limits. As a result, ALL your APIs in the entire region share a rate limit that can be exhausted by a single method.
It also means that, as an attacker, I only need to DOS attack one public endpoint. I can bring down not just the API in question, but all your APIs in the entire region. Effectively rendering your entire system unavailable.
Given that many organizations run their entire production environment out of a single AWS region and account, this is a risk you can’t afford to ignore.
Is WAF not the answer to DOS?
You can configure WAF rules for both API Gateway as well as CloudFront. You can do this in the API Gateway stage settings.
With AWS WAF, you can create rate-based rules that rate limits at the IP level.
This is sufficient to repel basic DOS attacks where all the requests originate from a handful of IP addresses. But it’s far from a foolproof system.
For starters, it won’t protect you from DDOS attacks from even a small botnet with thousands of hosts. The rise of IoT devices (and their poor security) has also given rise to IoT botnets. These botnets can comprise of millions of compromised devices.
These rate-based WAF rules also struggle to deal with low and slow DOS attacks. These attacks generate a slow and steady stream of requests that are hard to differentiate from normal traffic.
This naive IP level rate limiting can also block traffic from institutions that share the same IP address for its users. This can include universities and in some cases even small towns. In the past, I also observed that many AOL users would share the same IP address.
In short, WAF can keep the script kiddies out but is not good enough an answer to the threat of DOS attacks. The core of the problem here is that one method is allowed to inflict maximum damage to the whole region. And it’s a problem that really needs to be addressed at the platform level.
So what can we do?
The solution is simple, but the challenge is in governance.
“All you have to do” is to apply a sensible rate limit for each method individually. However, doing so requires developer discipline, constantly. And we know from history that this leads to failure as humans are terrible at the same thing over and over consistently.
At the time of writing, there’s no built-in support in the Serverless framework to configure these method settings. The best solution seems to be the serverless-api-stage plugin. It works but has been dormant for over a year. And the author has not responded to any of the recent issues or PRs.
You can create a custom rule in AWS Config to check that every API Gateway method is created with a rate limit override. This is a good way to catch non-compliance and enforce better practices in the organization.
You can also implement some automated remediation. For example, you can trigger a Lambda function after every API Gateway deployment with CloudTrail and CloudWatch Events/EventBridge. If the API author had left the default rate limits on then we can override it with a more sensible rate limit settings. This wouldn’t be my first port of call though. As it can be confusing to the API author why the configuration of his API is changed without any action on his part.
Another strategy would be to reduce the amount of traffic that reaches API Gateway by leveraging CloudFront as CDN. The rate-based WAF rules can be applied to CloudFront too, although the same limitations we discussed earlier still apply. Which means you can incur extra CloudFront cost during a DDOS attack.
With AWS Shield Advanced ($3000/month plus various other fees), you can get payment protection against this extra cost incurred during an attack. Perhaps more importantly, you also get access to the DDoS Response Team if you have an existing Business or Enterprise support. Given the cost involved, this is likely to be out-of-reach for many startups.
All in all, the tooling needs to improve to help people do the right thing by default. We need better support from the likes of Serverless framework so we can configure these rate limits easily. And I hope AWS change the default behaviour of applying region-wide limits on every method. Or at the very least, show warning messages in the console that your rate limit settings are exposing you to serious risk.
Update 25/11/2019: my good friend Diana Ionita published a new Serverless framework plugin serverless-api-gateway-throttling. It lets you easily configure the default throttling setting for your API but also override the setting for individual endpoints too. If you’re using the Serverless framework, you should definitely check it out.
Hi, I’m Yan. I’m an AWS Serverless Hero and I help companies go faster for less by adopting serverless technologies successfully.
Are you struggling with serverless or need guidance on best practices? Do you want someone to review your architecture and help you avoid costly mistakes down the line? Whatever the case, I’m here to help.
Skill up your serverless game with this hands-on workshop.
My 4-week Production-Ready Serverless online workshop is back!
This course takes you through building a production-ready serverless web application from testing, deployment, security, all the way through to observability. The motivation for this course is to give you hands-on experience building something with serverless technologies while giving you a broader view of the challenges you will face as the architecture matures and expands.
We will start at the basics and give you a firm introduction to Lambda and all the relevant concepts and service features (including the latest announcements in 2020). And then gradually ramping up and cover a wide array of topics such as API security, testing strategies, CI/CD, secret management, and operational best practices for monitoring and troubleshooting.
If you enrol now you can also get 15% OFF with the promo code “yanprs15”.
Check out my new podcast Real-World Serverless where I talk with engineers who are building amazing things with serverless technologies and discuss the real-world use cases and challenges they face. If you’re interested in what people are actually doing with serverless and what it’s really like to be working with serverless day-to-day, then this is the podcast for you.
Check out my new course, Learn you some Lambda best practice for great good! In this course, you will learn best practices for working with AWS Lambda in terms of performance, cost, security, scalability, resilience and observability. We will also cover latest features from re:Invent 2019 such as Provisioned Concurrency and Lambda Destinations. Enrol now and start learning!
Check out my video course, Complete Guide to AWS Step Functions. In this course, we’ll cover everything you need to know to use AWS Step Functions service effectively. There is something for everyone from beginners to more advanced users looking for design patterns and best practices. Enrol now and start learning!
Here is a complete list of all my posts on serverless and AWS Lambda. In the meantime, here are a few of my most popular blog posts.
- All you need to know about caching for serverless applications
- Choreography vs Orchestration in the land of serverless
- Are Lambda-to-Lambda calls really so bad?
- Lambda optimization tip – enable HTTP keep-alive
- You are wrong about serverless and vendor lock-in
- You are thinking about serverless costs all wrong
- Check-list for going live with API Gateway and Lambda
- How to choose the right API Gateway auth method
- AWS Lambda – should you have few monolithic functions or many single-purposed functions?
- Guys, we’re doing pagination wrong
- Top 10 Serverless framework best practices
- I left full-time employment, here’s what happened since
- How to break the “senior engineer” career ceiling
- My advice to junior developers