Functions abuse prevention

nkanderson · July 24, 2020, 8:43pm

I’m relatively new to functions and netlify, and wondering about abuse prevention - namely, limiting requests to my netlify functions so that malicious actors aren’t able to hit my endpoints at an extremely high rate and raise my costs. In a more traditional server environment, I might expect to be able to rate-limit based on IP, like using HAProxy stick tables. I’m not sure how to go about doing something similar in the netlify functions / lambda context, or if there’s another approach people tend to use to prevent abuse.

Further context on my use case: I’ve got a netlify site with a React frontend, and functions API endpoints that write to a faunadb database. In my ideal world, I’d probably limit those API endpoints to fulfill requests from my React app only, but that seems difficult given the React app’s client-side context (i.e. there doesn’t seem to be anywhere to use secrets that would be completely obscured from a client and prevent retrieval by a user). Implementing some form of rate-limiting seems like a reasonable alternative, or first step.

perry · July 2, 2020, 11:01pm

hey @nkanderson - good questions, and I’m glad you are checking in about this.

We’re discussed this before in these forums (not specific to functions calls, but I think the same philosophy applies)

take a look at this thread:

nkanderson · July 18, 2020, 7:35pm

Thanks for the reply @perry. If I understand correctly, most of those discussions center on a DDoS, rather than single IP rate-limiting. I acknowledge the difficulty in distinguishing between a DDoS and a legitimate surge in traffic, but it seems more straightforward to flag an extremely high rate of requests from a single IP as likely being malicious.

As I mentioned, I’m just getting into thinking about the functions / lambda approach to application development, but from what I’ve picked up, it seems like an API gateway is what would typically be placed in front of functions infrastructure to allow for abuse prevention like I’ve described. I like how netlify has been able to create a straightforward and distilled interface for users getting up and running with functions, so it would be really cool to see netlify add some basic API gateway-like configuration as well. Is there anywhere I can make a feature request or add my vote for something like that?

fool · July 20, 2020, 10:12pm

Hi @nkanderson and thanks for the question/suggestion! First off, let me talk about what’s available today for you to do this kind of validation:

you can choose to put your function behind a proxy route from another site, and use the signed feature in our proxy redirects described here: https://www.netlify.com/blog/2017/10/17/introducing-structured-redirects-and-headers/ and demonstrated here: Signed proxy redirects . This means only your app will call your functions, and your function can abort if someone calls it elsewise. This won’t prevent someone from hitting site.com/api (and triggering the function on othersite) repeatedly, but it will at least prove that traffic came via your site.

2.you can put in limitations via your function - it knows about IP addresses (sent to you as X-Nf-Client-Connection-Ip). You can save IP’s to an external store and start aborting execution if you see an abuser, before they access your backend (via the function). This will protect your origin.

Neither of those helps you control usage via the provided URL; your function would run as many times as called. But they do ensure: 1) called via netlify and 2) won’t destroy your backend (e.g. stuff your fauna full of junk).

You can obscure a secret (e.g. API token) via a function, here’s an example: https://github.com/depadiernos/token-hider-inator ; not sure if that helps your use case or not.

When we launch Edge Handlers this will allow you to craft any protection you want. But that is still a bit of distance away from GA.

It is the case that we don’t have the block ability you want today; there is an open feature request which I’ve linked this to so I can let you know in case that situation changes, but I think it likely that Edge handlers will come out instead, since the team writing edge handlers would be the team who paused that implementation to implement a block, so they’ll probably focus on the release instead since that opens a lot of possibilities up, many more than just this one.

I don’t think we have any plans to enable a separate API gateway from what we already have; our advice would be to use native functions rather than ours if you have extended needs. Our implementation is really about integrating with our websites in the usual way. To date we’ve had exactly 2 functions “abusers”, one of whom abused their own site to prove it could be done. So - it’s not something that happens very often

Hope that information helps you make a good decision as to whether our service is appropriate for your business or not!