Akamai App & API Protector Expert

Akamai Platform Architecture

Akamai operates the world's largest CDN network (~240,000 servers in 130+ countries). App & API Protector runs at the edge — all customer traffic passes through Akamai's edge nodes before reaching origin:

Internet → Akamai Edge Network → Origin Server
                 ↓
    ┌────────────────────────────┐
    │   App & API Protector      │
    │   ├── DDoS Protection      │
    │   ├── WAF (KRS Rules)      │
    │   ├── Bot Manager          │
    │   ├── API Security         │
    │   └── Adaptive Security    │
    └────────────────────────────┘

Configuration delivery: Configurations are pushed to Akamai edge nodes via the Akamai Property Manager (delivered through "activations"). Changes take minutes to propagate globally.

WAF Configuration

Security Policy Structure

Security Configuration (top-level)
├── Security Policy 1 (for production)
│   ├── Attack Group rules
│   ├── Custom rules
│   ├── Rate Controls
│   ├── Reputation Controls
│   └── Bot Manager settings
├── Security Policy 2 (for staging)
│   └── ...
└── Match Targets (which hostname/path uses which policy)

Match targets: Associate security policies with specific hostname/path combinations:

• www.example.com → Production policy
• staging.example.com → Staging policy (looser rules)
• api.example.com/v1 → API-specific policy

Attack Groups (KRS - Kona Rule Set)

Akamai groups rules into attack groups by vulnerability category:

Policy Modes

ASE Auto (Adaptive Security Engine Auto):

• ASE analyzes traffic patterns and automatically adjusts rule sensitivity
• Reduces false positives by learning what is normal for your application
• Recommended for most deployments

Structured Rule Sets:

• Manual rule management
• More control, but requires tuning effort
• Better when you need deterministic behavior

Alert vs. Block Mode

Per rule / per attack group:

• Alert: Log the event, allow the request
• Deny (Block): Return 403, deny the request

Deployment approach:

1. Set all attack groups to Alert mode
2. Deploy to production
3. Review Security Center → attack event logs
4. Identify false positives by attack group
5. Tune specific rules within problematic groups
6. Switch to Deny mode group by group after validating

Adaptive Security Engine (ASE)

The Adaptive Security Engine continuously analyzes traffic to reduce false positives automatically.

How ASE Works

1. Traffic analysis: ASE builds a model of normal request patterns for your application

   • Which endpoints exist
   • What request patterns (parameters, sizes, encodings) are normal
   • What attack group triggers are legitimately used by your app

2. Tuning recommendations: ASE surfaces recommendations to:

   • Increase sensitivity (rules that catch attacks but aren't generating false positives)
   • Decrease sensitivity (rules generating false positives for your specific app)

3. Auto-update: In ASE Auto mode, recommendations are automatically applied

4. Manual review: In ASE Manual mode, you review and approve recommendations

ASE Tuning Recommendations

In Akamai Control Center → Security → App & API Protector → Your Config → Tuning:

Recommendations are shown per attack group and per rule:

• "Increase sensitivity: SQL Injection group is not triggering false positives"
• "Decrease sensitivity: XSS rule 3000001 generated 450 false positive events in 24h"

Accepting tuning recommendations:

• Accept individually: precise control
• Accept all: faster, but review before production

Reputation Controls

Akamai maintains a real-time IP reputation database built from global traffic analysis across all Akamai customers.

Reputation Categories

Reputation Policy Configuration

Security Policy → Reputation Controls
  → Web attacks: Deny (score ≥ 5)
  → Scanning tools: Deny (score ≥ 5)
  → DOS attacks: Alert (score ≥ 5)
  → Known anonymizers: Alert (score ≥ 5)

Reputation scores: 0 (clean) to 10 (high confidence malicious).

Tuning: Threshold "score ≥ 5" means any IP with that reputation category scores 5+ gets the configured action. Higher threshold = fewer blocks, lower false positive rate.

Bot Management

Bot Manager Premier

Akamai's enterprise bot management solution:

Bot categories:

• Known bots: Pre-categorized (search engines, monitoring, security scanners, business services)
• Unknown bots: Unclassified automated traffic

Actions per bot category:

• Allow
• Slow down (tarpit — artificial delay response)
• Redirect to URL
• Deny
• Challenge (present browser verification)

Bot Detection Techniques

Behavioral fingerprinting:

• Mouse movement patterns
• Typing cadence
• Scroll behavior
• Click patterns

Device fingerprinting:

• Browser properties (Canvas, WebGL, fonts, plugins)
• Hardware characteristics
• Network characteristics

Cognitive challenges:

• JavaScript challenges (invisible to users, stops simple bots)
• Device fingerprint challenges
• CAPTCHA (traditional reCAPTCHA/hCaptcha)

Bot Scoring

Requests are assigned a bot score:

• 0 = Definitely human
• 100 = Definitely bot

Configure actions based on score ranges:

Bot score 80-100 → Deny
Bot score 50-79  → Challenge
Bot score 0-49   → Allow (likely human)

Rate Controls

Network-Layer Rate Controls

Request-rate threshold: Max requests per time window per client IP:

Path: /api/v1/login
Method: POST
Threshold: 10 requests per 60 seconds
Action: Deny

Slow POST detection: Detects attacks that send HTTP bodies extremely slowly to exhaust connections.

Bot-Aware Rate Limiting

Separate thresholds for bots vs. humans:

• Human users: 100 requests/minute allowed
• Bot traffic: 10 requests/minute before challenge

API Security

API Definition Enforcement

Import OpenAPI (Swagger) specifications to enforce API contracts at the edge:

1. Upload OpenAPI spec to Akamai → API Definitions
2. Associate with hostname and base path
3. Configure enforcement actions:
   • Path enforcement: Block requests to undefined API paths
   • Method enforcement: Block disallowed HTTP methods per endpoint
   • Parameter enforcement: Validate required parameters present

JWT Validation

Validate JWTs at the edge:

API Security → JWT Validation
  → JWKS URL: https://auth.example.com/.well-known/jwks.json
  → Required claims: exp, iss
  → Actions:
      Missing token: Deny
      Invalid signature: Deny
      Expired token: Deny
      Missing claim: Alert

Sensitive Data Detection (Outbound)

Detect and mask sensitive data in responses before delivery to clients:

• Credit card numbers (Luhn algorithm check)
• Social Security Numbers (US format)
• Custom regex patterns (e.g., internal account numbers)

Action: Mask data, alert SecOps team.

Security Center

Akamai Security Center (in Control Center) provides the security operations dashboard:

Security Events

Real-time and historical view of security events:

• Filter by: attack group, action (alert/deny), hostname, source country
• Event details: full request, matched rule, client IP, user agent
• Event correlation: link related events from same attacker campaign

Attack Analytics

Automated analysis of attack campaigns:

• Groups related events into "attacks" based on source patterns
• Provides executive-level summaries
• Identifies coordinated attack campaigns vs. individual probes

Threat Intelligence Integration

Akamai integrates with:

• Akamai Hunt: Threat hunting service using Akamai's global traffic visibility
• Enterprise Threat Protector: DNS-layer security
• Guardicore (Akamai acquisition): Microsegmentation and east-west traffic security

Property Manager Integration

WAF configuration is part of Akamai Property Manager rules:

Property Manager Rule
└── Criteria: match type (hostname, path, user-agent)
    └── Behavior: Application Security
        ├── Security Configuration: MyConfig
        └── Security Policy: ProductionPolicy

Activation: Changes require "activation" to push to Akamai's edge network. Test in staging network first, then activate to production.

Networks:

• Staging network: *.akamai-staging.net — test configurations without affecting production
• Production network: Live traffic

Common Issues

High false positive rate after initial deployment:

• Use Alert mode universally first — do not start with Deny
• Review Tuning tab in Security Center for ASE recommendations
• Focus on highest-volume false positive attack groups first
• Check Match Targets — ensure security policy applies to correct hostnames/paths

API returning false positives for JSON bodies:

• Verify attack group sensitivity — JSON often contains patterns that trigger XSS/SQLi rules
• Use Adaptive Security Engine to learn what your API's normal request patterns look like
• Consider a separate security policy for API endpoints with lower paranoia level

Reputation blocks affecting partner IPs:

• Add partner IP ranges to allowlist (network list) with "Allow" action before reputation evaluation
• Use Security Policy → IP/Geo Firewall → Add to allowlist

Bot Manager blocking legitimate automation:

• Identify bot category in Security Center events
• For known legitimate bots (monitoring, internal automation): add to allowed list by user agent or IP
• For API clients: configure specific user-agent pattern to bypass bot challenge