In 2024, API attacks rose by a staggering 3,000 per cent compared to traditional web attacks, according to industry reports.
API-based cyber attacks have become more persistent and targeted ever since technology has advanced. Malicious actors weaponise the growth, leaving businesses in a conundrum of constantly having to defend themselves against a myriad of threats.
A key reason for this trend is that modern DDoS attacks are increasingly targeting APIs directly, not just networks or websites.
A10 Networks found that the size of these attacks has grown from gigabits per second (Gbps) in the early 2010s to terabits per second (Tbps) by 2024. This is a significant 20-fold increase.
Early reports from 2025 indicate that DDoS attack volumes have already jumped by 350 per cent, hitting over six terabits per second. The frequency of these attacks is increasing as well, with the number of DDoS attacks doubling in 2024 compared to the year before.
This trend is occurring because APIs have become the main communication layer for applications, making them invaluable targets for disruption and exploitation.
Attackers are not just trying to overwhelm a network's capacity but are now also using requests that look legitimate to exhaust the resources of an API's most critical functions.
This article tells you everything you need to know about why APIs are vulnerable, the type of API-based DDoS attacks and real-world examples.
What is an API (Application Programming Interface)?
An Application Programming Interface (API) is an intermediary that connects one software to another software, allowing an exchange of data. Essentially, an API acts as a tool that makes communication possible between two software applications. However, it’s not so simple; API’s define the rules and protocols to allow this exchange of information. The code specifies the types of requests and responses that are allowed between software interactions.
A practical example of an API can be seen in video games, particularly video games that display an online leaderboard. For instance, when the user completes a level in a game, they are able to see a leaderboard that shows their score alongside their opponents’ scores. The other players could be sitting anywhere in the world, the API pulls their data, the score, and shows it on the common leaderboard. Basically, the game doesn't pull that data from its own local files. Instead, it calls a gaming service's API.
Also Read: How Do Enterprises Build Proactive Cybersecurity Strategies?
Why are APIs Vulnerable?
APIs are vulnerable because they are an essential part of digital infrastructure. This criticality forms large and hidden attack surface opportunities for malicious actors. While APIs make way for seamless communication between services, this expanded connectivity creates more entry points for hackers.
“Modern applications are now built with many small, distributed components rather than a single large one. These components communicate with each other using APIs,” stated Brett Ley, the VP, Global Technical Sales at A10 Networks, in an episode of The Security Strategist podcast with Shubhangi Dua, Podcast Producer and B2B Tech Journalist at EM360Tech. “The shift to a more distributed architecture, combined with increasingly sophisticated DDoS attacks, makes protecting API traffic a growing challenge.”
This is why it’s critical to address API vulnerabilities, not only because an API attack can be costly, but also because it often leads to the exposure of sensitive data. To avoid compliance issues (such as those related to GDPR) and maintain client trust, it's imperative for businesses to secure their cloud infrastructure from API attack vectors. While various attack types exist, DDoS attacks are particularly disruptive as they can overwhelm an API with a flood of traffic, leading to service outages.
Gartner found that 90 per cent of web-enabled applications will have more exposed APIs than user interfaces (UI). A Gartner report from 2022 also projected that API abuses would shift from seldom-occurring to becoming the most common attack vector.
Some challenges that make it difficult to protect APIs are:
-
Limited Visibility
IT teams frequently struggle to keep track of the multiple APIs and their update status. This makes it challenging to determine who should use them, how they should be utilised, and what the appropriate user behaviour, authentication, and authorisation processes are.
2. Imitates Legitimate behaviour
API attacks frequently imitate real user requests. They make detection more challenging. Such attacks can also reveal application logic and sensitive data.
3. API sprawl
API sprawl is the uncontrolled and unmanaged growth of APIs within an organisation. This situation creates a complicated and insecure environment. The widespread nature of modern IT systems, as organisations use multiple cloud providers, leads to API sprawl. This increases complexity for IT security teams, making it harder for them to initiate targeted protection protocols.
4. Poor development practices
Developers sometimes make errors or ignore best practices. They end up creating APIs in isolation, which often results in vulnerabilities that attackers can exploit together.
5. Sophisticated attacks
It’s a given that API attacks are complex, as they involve multiple steps and large-scale botnets as well as DDoS amplifiers. This intricacy makes them hard for traditional defences to spot. The rise of AI-driven tools also enhances the attackers' abilities.
Types of API-Based DDoS Attacks
-
API Gateway Floods
An API Gateway Flood is a Distributed Denial-of-Service (DDoS) attack that aims to overwhelm the software with considerable requests. When a client submits a request for communication between software, the software that receives communication, which is the entry point for API traffic, is marked as a target for the malicious actor. The attacker uses up the gateway's resources, including its processing power and network capacity.
Essentially, the malicious actor aims to stop the gateway from handling valid requests from real users, which leads to a service outage and blocks access to the applications and services it supports. This type of attack is particularly hard to defend against because the individual requests often look legitimate. It becomes challenging for the defenders to differentiate between regular user traffic without strong security measures.
2. Credential Stuffing Floods
Credential stuffing floods are when an attacker hammers login credentials across services and uses them to seize user accounts. Essentially, malicious actors leverage automated bots to quickly test stolen username and password pairs. These pairs often come from a data breach and are used across several websites. The attackers’ botnet hosts numerous login attempts by taking advantage of the fact that users tend to reuse the same credentials for different online accounts.
Attackers bombard a target site's login page or API in an attempt to find a small number of successful logins. They then use these logins to take over accounts, steal sensitive data, or perpetrate fraud. This kind of attack is particularly effective and hard to stop because the individual login attempts carried out by the bots use valid credentials and can imitate human behaviour, making them seem like real user traffic.
3. Slowloris Attacks
Slowloris attacks are a type of low-and-slow DDoS attack. This means attackers either leave incomplete HTTP requests or submit HTTP requests slowly to exhaust server memory and thread pools.
Such a DDoS attack executes minimal initiative to overwhelm a web server. The attacker opens multiple connections to a target and sends incomplete HTTP requests. By sending partial HTTP headers periodically, the attacker keeps the connections open indefinitely without completing the request.
The malicious actors strategise in a way that allows them to take advantage of the server's limited capacity for concurrent connections. Eventually, it will fill all available slots and prevent new connections from legitimate users. This action leads to a denial of service. The traffic comes across as normal, though slow, making it hard for traditional security tools to detect.
4. Business Logic Exploitation
Business logic exploitation is an attack that leverages legitimate business operations to reach detrimental objectives. Malicious actors exploit the processing of an application instead of targeting technical weaknesses.
For example, they might misuse a password reset process to gain unauthorised access; they could repeatedly use the "forgot password" feature to drain resources or manipulate an e-up to create multiple accounts or avoid rate limits.
Such a cyber attack relies on a series of valid requests that the server accepts. However, when these requests are combined, they expose a flaw in the application's business logic. This flaw lets the attacker steal data, use resources, or gain an unfair edge without activating typical security alerts.
In the 2024 Dell breach, attackers took advantage of a flaw in the company's business logic and its lack of rate limiting. After gaining legitimate access to Dell's partner portal, they discovered a weak API that returned customer data. By overwhelming this API with an automated wave of requests, they managed to get around controls and extract 49 million customer records. This attack worked not by exploiting a technical bug, but by misusing a legitimate feature on an unparalleled scale.
5. API Amplification
API amplification is an attack where a small request from an attacker leads to a much larger response from an API. Akin to typical network or application DDoS attacks against DNS or NTP, small API requests are sent that trigger large responses, overwhelming the target endpoint. This can either overwhelm a network's bandwidth or exhaust a server's processing resources, such as CPU and memory.
A commonly used method by hackers is sending small API requests that trigger a large, resource-heavy action, such as an extensive database query or a file download. In a reflected amplification attack, the attacker disguises their own IP address as a victim's and sends a request to the API. The API then sends the large, amplified response directly back to the victim, inundating their system with data.
Security threats against APIs are continuing to evolve, and many may not involve DDoS or DoS as part of the attacks.
Real-World Examples
Some real-world examples of modern-day API attacks are:
-
Automotive Industry
The automotive industry is experiencing a surge in API vulnerabilities, with attacks rising by a staggering 380 per cent in 2022, according to an Upstream report. A noteworthy example is the 2024 discovery of a flaw in the remote-control API for KIA vehicles. The dealership API did not properly verify access rights, which allowed hackers to send commands to any vehicle without showing ownership. While there is no record of this being exploited, the vulnerability seriously harmed the company's reputation.
2. Financial Giant Hit by Sophisticated Attack
A major financial services company combatted a convoluted DDoS attack against an organisation's APIs. The attacker used modern techniques to bypass traditional defences.
The malicious actor/s not only flooded the network but also imitated US-based internet providers and cloud services to make the traffic look legitimate. Additionally, the attackers used HTTP/2 to send a large number of requests efficiently through a small number of connections. To avoid detection, the hackers created fake mobile applications and used user credentials that seemed legitimate. The action points to a combination of credential stuffing and targeted endpoint reconnaissance.
This is where A10 Networks’ ThreatX, in a nine-minute survey of the attack, tracked 49,000 malicious requests across 198 websites. It was discovered that the requests came from over 13,000 unique IP addresses in 121 countries. However, stopping the attack required 44 different security rules owing to its scale and complexity.
This incident shows that fighting modern threats requires more than basic filtering. It needs better behavioural detection to spot and stop attacks that look like legitimate user activity. This emphasises the need for advanced, real-time response strategies to protect against the changing threat landscape.
How Can Enterprises Protect Their APIs?
Enterprises can protect their APIs and applications from modern attacks by executing a multi-layered, proactive security strategy. This will help to secure APIs from the beginning of the development process instead of leaving it as an afterthought.
Organisations are recommended to leverage strong authentication and authorisation mechanisms to ensure that only legitimate confirmed users have access to resources. These specific authorised individuals will be granted the minimum privileges necessary to perform their tasks.
Tools such as API gateways and Web Application Firewalls (WAFs) are important too. They act as a shield against attacks, provide rate limiting to stop DDoS floods, and filter out harmful requests.
Additionally, continuous monitoring of API traffic is essential. It helps detect and respond to unusual behaviour that may signal an attack, such as credential stuffing or exploiting business logic. Finally, regular vulnerability assessments and testing can proactively uncover and eliminate weaknesses, closing gaps before attackers can exploit them.
Comments ( 0 )