Clients are reporting slowness when attempting to access a series of load-balanced APIs that do not require authentication. The servers that host the APIs are showing heavy CPU utilization. No alerts are found on the WAFs sitting in front of the APIs.
Which of the following should a security engineer recommend to BEST remedy the performance issues in a timely manner?
To address the high CPU utilization and slowness reported by clients when accessing the load-balanced APIs, the best solution is to implement rate limiting. Rate limiting controls the number of requests a client can make to the API within a specified timeframe. This measure helps prevent excessive usage from overwhelming the servers, thereby reducing the load and improving response times. It directly addresses the performance issue by managing the API's traffic load in a timely and effective manner. Other options like implementing OAuth 2.0 would add unnecessary complexity since authentication is not required, and geoblocking or input validation would not specifically address the high CPU utilization and performance issues described.
Keyword here is that the API does not require authentication. OAUTH 2.0 solves that and will improve performance by only processing authenticated calls.
Since the clients are reporting slowness and the servers hosting the APIs are showing heavy CPU utilization, it is likely that the performance issue is caused by excessive API requests being made by the clients, rather than an attack or vulnerability that needs to be mitigated. Therefore, the best solution to remedy the performance issues would be to implement rate limiting on the API, which would limit the number of requests made to the APIs per client, and prevent excessive requests from overloading the servers. So, the correct answer is A. Implement rate limiting on the API.
Chat GPT is not as accurate he changes his answer & is unsure of his answers be careful
A. Rate limiting. This is a tough one. I think we can rule out OAuth, as it says that the API does not require authentication (so why add it?) and OAuth will be more difficult to implement than rate limiting. They asked for a quick fix. https://nordicapis.com/everything-you-need-to-know-about-api-rate-limiting/
OAuth does not mean that it will be secure because OAuth=Authorization rate limiting is the quick fix to address the direct problem of too many tasks. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
OAUTH 2.0 will just increase the load on the API Rate limiting shall reduce the number of processed requests
Given that the APIs do not require authentication, implementing OAuth 2.0 would likely not resolve the performance issues. Similarly, implementing input validation would not necessarily address the CPU utilization. Geoblocking may prevent some traffic, but may not resolve the root cause of the issue. Therefore, the BEST recommendation would be to implement rate limiting on the API, which can help regulate the amount of traffic and reduce the load on the servers. This would help address the performance issues in a timely manner.
A. Implementing rate limiting on the API is the best solution to remedy the performance issues in a timely manner. Rate limiting can help mitigate the heavy CPU utilization and ensure that the APIs are not overwhelmed with requests, which can cause slowness for clients. It limits the number of requests that can be made within a certain time period, preventing excessive traffic from consuming all of the server's resources. Geoblocking (B) may be useful for blocking traffic from certain countries, but it is unlikely to solve the performance issue in this scenario. OAuth 2.0 (C) is an authentication and authorization framework and would not address the performance issues described. Input validation (D) is important for preventing attacks that leverage malicious input, but it is not likely to address the performance issues in this scenario.
Authentication! answer is C
For me this is C C means that they will only process authenticated calls. I see the argument for A however my i don't think it's right. The loads are balanced therefore the system itself is running as efficiently as it can and yet you are still getting performance issues. Limiting them further will not improve performace. However ensuring that there is less unnecerssary traffic will. That's why i'm going with C
rate limiting the APIs seems logical to me. it seems like there are too many calls to the APIs and or a DDoS attack that is causing high CPU utilization
@A is correct
This approach controls the number of requests a client can make to the API within a certain timeframe. By limiting the request rate, you can prevent excessive usage from any single client or group of clients, which can help reduce the CPU load on the servers. This can be implemented relatively quickly and can provide immediate relief to the performance issues. Implementing OAuth 2.0 is used for authentication and authorization, which is not necessary for APIs that do not require authentication. Moreover, adding OAuth 2.0 can increase complexity and may not directly address the root cause of the CPU utilization issue.
In this case, since the servers are showing heavy CPU utilization, implementing rate limiting can help manage the load on the servers and improve performance1. However, it’s also important to consider other performance optimization techniques and security measures to ensure the overall health and efficiency of the API2
we want to focus on the utilization
Implement Rate Limiting: Rate limiting involves controlling the rate at which incoming requests are processed. By implementing rate limiting on the API, the system can restrict the number of requests from a single client or IP address within a specified time period. This can help mitigate the impact of excessive requests, prevent abuse, and alleviate the heavy CPU utilization on the servers. OAuth 2.0 is an authentication and authorization framework, and implementing it on the API may not directly address the reported performance issues unless authentication overhead is a significant factor, which is not mentioned in the scenario.
The answer is C - great security issue the authentication.