Public APIs present a unique DDoS challenge: unlike HTML pages, APIs are rarely cached, often trigger expensive database queries, and are publicly documented so attackers know exactly which endpoints to target. A well-targeted API flood can take down your backend while leaving your frontend serving 200 OK responses.
REST API Risks
- Endpoint enumeration: documentation reveals every expensive operation.
- Stateless authentication: JWT tokens make it easy for bots to maintain many parallel 'authenticated' sessions.
- Uncached responses: every request hits your database.
- Webhook flooding: if you accept webhooks, attackers can flood them.
GraphQL Risks
- Introspection abuse: a single query reveals your entire schema.
- Query depth attacks: deeply nested queries cause O(n^n) database joins.
- Batched queries: 1,000 operations in a single HTTP request.
- Aliased field attacks: requesting the same expensive field 10,000 times under different names.
API-Specific Mitigations
- Rate limit per API key, not just per IP.
- Disable GraphQL introspection in production.
- Implement query depth and complexity limits on GraphQL.
- Use Akarguard's custom rate-limit rules to set per-endpoint limits — /api/search can have tighter limits than /api/product.
- Require authentication for expensive endpoints even for 'public' APIs.