Razorpay serves over 200K API requests per minute during peak hours on any average day. DDoS attacks on B2B APIs like ours are fairly complex to detect and mitigate. They typically lead to an extreme spike (10X-100X) in request volume thereby choking critical resources, and hence have the potential to impact our services. In order to guarantee a good quality of service to our customers, we’ve made significant investments to allow us to detect, prevent and mitigate these DDoS attacks, which we will cover in our talk.
Our internal API Gateway, based on Kong, acts as the brain that generates rich traffic insights. We used a combination of AWS Shield, traffic insights and data science to identify patterns and anomalies, which are then derived into dynamic thresholds. These thresholds form a feedback loop which either throttle or block bad actors using AWS WAF. We will also talk about how we conducted simulations to battle test these systems and guarantee the effectiveness of the end-to-end solution.