With great popularity . . . comes large crowd. Be it a shopping mall, a super hit movie, a famous restaurant/café or even a tourist spot. Generally, this happens because of two reasons, either the crowd is lured in or the crowd just wants to follow the others. Similarly, it may so happen that in your app server sometimes there are so many hits or requests that it is unable to handle—the consequences being slow performance, server downtime or just a poor user experience. The worst part is, as marketers and developers we all want innumerable active users but we never prepare ourselves for such situations.
API Management solution was invented to overcome challenges like these and many others that we will know in future posts. Of course there are anomalies in every situation and traffic management in APIs is no different. Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks on the APIs are becoming not so rare these days when just anyone randomly starts attacking the web servers and APIs with botnets in enormous numbers to block the actual influx of the traffic which consequently causes the server failure and app crash. A quick look at the following graph and you will know the rise of cyber-attacks in recent years and the financial loss because of them.
App42 API Gateway enables you to put various kinds of restrictions on the traffic that can be configured and setup quickly:
- Burst Limit: This simply means that the API Gateway is configured to process a certain number of requests per second. Suppose the burst limit of your APIs is set at 40 per second, then in times when the requests exceed 40, then instead of server getting crashed it would handle the first 40 and block the rest
- Whitelist IPs: The phrase itself is self-explanatory, but let’s say you have developed a set of APIs exclusive for your partner or a third party app then to avoid the traffic coming from elsewhere the IP of your partner/third party developer would be whitelisted so that only they can have access to it
- Blacklist IPs: This is extremely useful during DoS/DDoS attacks . . . as soon as the IP of the attacker is known, it must be blacklisted to avoid the bots overburdening your backend systems
- Request Timeout: This enables you to set the time in milliseconds that your APIs can take to allow execution of the requests on the server. That means if any particular request is taking longer than the set duration, the API Gateway would discard and move on to the next one
- Request Size: When you set a limit on the size of the request, API Gateway discards the requests larger than that and only limited requests are processed so as to not burn out the backend systems
To understand these better, let’s take a hypothetical example of an e-commerce app. So this app has around 3 Million daily active users, considering that it already has good number of users, it goes on to plan a day of mega sale—on the lines of Black Friday sale. Now, it starts promoting the sale as the biggest of the year and nothing the entire user base has ever witnessed and stuff like that—to handle the expected traffic it adds a few extra thousands of servers and load balancers and takes other preventive measures. But, the kind of shopaholics and suckers for discounts that we are, on the day of sale, within an hour, the requests to the backend servers cross 50 Million and the servers fail and the app crashes. The consequence? Well, a big hit to the brand, bad PR, poor word of mouth and a month of advertisement money wasted.
What could it have done?
Invested in a good API Management solution. Now, if that API Gateway sits in between the backend servers and the client in the above mentioned situation. . . a number of things happen:
- Let’s say the app was prepared to handle up to 35 Million requests, the API Gateway would block the rest of the 15 Million API calls to at least pass those 35 Million, instead of the failure of the entire backend
- It may so happen that a competitor of that particular e-commerce brand launches a DoS/DDoS attack to sabotage the campaign, in that scenario the IPs of the attackers can be blocked to prevent the botnets from affecting the servers
- Assuming that the burst limit of the app is set to 50 requests per second, the API Gateway would not pass more than that. So, let’s say if 60 users open the app simultaneously, only 10 would see an error instead of all 60 users getting the same error in the traditional case
There are hundreds of cases where time and again enterprises and rising startups have taken a big hit to their servers facing loss of millions of dollars due to the lack of an API Management solution and strategy. As we steadily move toward a digital world, it is imperative that a good and comprehensive API Management tool must be integrated in the digital offerings. Take a look at App42 API Gateway and its rich set of features including complete API lifecycle management including creation, security, monitoring, analytics & monetization. Get a demo or sign up to get your free trial today.