In Q4 2024, the number of DDoS attacks on APIs doubled compared to the same quarter in 2023. At the same time, 70% of DDoS attacks on APIs were in retail and banks, according to the analytical center of the StormWall company.
Having analyzed customer data, StormWall experts found that during the reporting period, 38% of DDoS attacks on APIs were in the retail sector (up 26%), and 32% were in the banking industry (up 22%). The increase in incidents was influenced by consumer activity during the Black Friday sales and preparations for the New Year, including the increasing peak in payments during the New Year holidays.
As the company explains, DDoS attacks on APIs are aimed at overloading servers that process API requests by sending a huge number of requests. As a result, companies lose access to services, which leads to downtime and deterioration of user experience, financial losses due to the suspension of business processes.
Image source: StormWall
Attacks on APIs can have consequences such as data loss, system compromise, changes in application logic, or complete system failure. It is enough to find a vulnerability or cause excessive load on a specific endpoint. API requests often look like legitimate traffic, which makes them more difficult to detect and filter compared to more obvious attacks such as HTTP Flood.
To combat DDoS attacks on APIs, you can use traffic monitoring systems to detect anomalies, use WAF to filter malicious traffic, create data backups, and have an incident response plan.