Doesn’t my WAF or API Gateway block automated traffic?

Web Application Firewalls (WAFs) and API Gateways offer essential security features, such as rate limiting, IP lookup, and bad signature recognition. However, it's important to recognize that these defenses primarily target brute force automated traffic, which is characterized by its high volume, repetitive nature, or blatant security violations. While these defenses are effective in thwarting many common threats, they may fall short when dealing with well-crafted automated API traffic that's designed for malicious purposes such as fraud and data scraping.

  • Rate Limiting: Rate limiting is a critical security measure that restricts the number of requests a client can make within a specified time frame. This helps prevent abusive or excessive use of APIs and can help protect against Distributed Denial of Service (DDoS) attacks. However, it's not always effective in identifying sophisticated attacks that may stay within the rate limits to evade detection.
  • IP Lookup: IP lookup is a method of cross-referencing an incoming request's IP address with databases of known malicious IPs. It can help block traffic from known attackers or suspicious sources. Nevertheless, attackers can easily change their IP addresses or use distributed networks (like botnets) to obfuscate their origin.
  • Bad Signature Recognition: Bad signature recognition involves identifying requests that contain malicious payloads, malformed data, or suspicious patterns. While it's useful for blocking common attack vectors, it may not recognize well-constructed malicious requests that mimic legitimate traffic closely.

Automated API traffic engineered for fraudulent purposes, such as account takeover attacks (ATO) or data scraping, has become increasingly sophisticated. These malicious actors employ advanced techniques to closely mimic the patterns of legitimate user behavior, making it extremely challenging for traditional security measures to differentiate between fraudulent and genuine traffic. This poses a significant threat to the security and integrity of mobile applications.

Approov Mobile Security is an advanced security solution designed to protect APIs against precisely these types of threats by distinguishing between malicious and legitimate traffic. It integrates with WAFs and API Gateways to provide an additional layer of defense.