DDoS | basic Python script that accepts a website 's url in string

You could try turning the source code of the website into a string and do one of the following:

I did some research into the link you shared, Django's source and Django REST Framework's source.

Bare-bones Django is not vulnerable to this, since it doesn't uses X-Forwarded-For, and neither is Python.

Virtually all versions of Django REST Framework are vulnerable, since this commit 9 years ago added the HTTP_X_FORWARDED_FOR check: https://github.com/encode/django-rest-framework/blob/d18d32669ac47178f26409f149160dc2c0c5359c/rest_framework/throttling.py#L155

For measures you can take to avoid this, since a patch is not yet available, you could implement your own ratelimitter, and replace get_ident to only use REMOTE_ADDR.

If your Djando REST Framework application is behind a proxy, you might not be vulnerable to this.

If everything really is/works as you say it does and there is no bug you have not yet found, then try this:

malloc and other memory allocation usually uses chunks of 16 bytes anyway, even if the actual requested size is smaller than 16 bytes. So you only need 4000/16 - 30/16 ~ 250 different memory pools.

This might not be the answer you want to hear, but it has some validity.

A good practice when trying to do almost any type of training or data analysis is to first clean the data. One of those steps can include removing or treating 'Nan', 'infinity', or otherwise out-of-place outliers.

There is a multitude of ways to do this, but for your case, I would suggest doing all of these to start with:

1. Remove rows with Nan values.
2. Remove rows with infinity values.
3. Move all values so that they are within the float64 data size, or remove rows that contain numbers outside of the float64 data size.
4. Remove columns that have an excessively large range.

Here is a function I use often to first inspect data for cleaning.

I think you may be extrapolating too much that this is an issue with Cloudflare or being blocked. A quick search of your first service results in a notice that they have shut it down (probably due to high usage) -

As of November 10, 2021 we are no longer providing this API due to massive abuse.

https://whatismyipaddress.com/api

Your other services could be experiencing similar issues with reliability. Server security wouldn't really cause DNS lookup to fail. Luckily there are many, many, alternatives you can try. For example -

https://www.ipify.org/

Or Cloudflare even has an (undocumented) endpoint that could be used -

https://www.cloudflare.com/cdn-cgi/trace

At the end of the day though, if you want something reliable / guaranteed, you'll probably have to pay for it. Otherwise be prepared to shift to a new service every so often. Luckily the data returned should be easy to integrate (an IP address).

Can we have "anonymous" users that have a short-lived JWT token?

Yes, you can and its recommend that you even do it for logged users. See the Auth0 blog What Are Refresh Tokens and How to Use Them Securely:

This post will explore the concept of refresh tokens as defined by OAuth 2.0. We will learn how they compare to other token types and how they let us balance security, usability, and privacy.

The problem with using tokens for anonymous users or logged in users is that they only identify who is in the request, not what is doing the request.

I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it:

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

So, think about the who as the user (anonymous or logged) your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.

We are already considering:

• API KEY for every application (not per session)
• Rate limiting
• DDoS services to protect the APIs

This are basic security measures that any API should implement, but they will fall short when it comes to give na high degree of confidence to API server that the request is indeed from what it expects, a genuine and untampered version of your app.

You can read more about in my article The Top 6 Mobile API Protection Techniques - Are They Enough?:

In this article we will explore the most common techniques used to protect an API, including how important it is to use HTTPS to protect the communication channel between mobile app and API, how API keys are used to identify the mobile app on each API request, how user agents, captchas and IP addresses are used for bot mitigation, and finally how user authentication is important for the mobile security and api security. We will discuss each of these techniques and discuss how they impact the business risk profile, i.e. how easy they are get around.

The reader will come to understand why today’s commonly used mobile API protection techniques are very naive and not fit for purpose to defend digital businesses against API abuse. API abuse is its various forms is much more commonplace that most businesses realize so it is important to employ the right techniques to maintain revenue and brand reputation.

For example, how can the SPA Web application or Mobile application securely obtain a "per-session" anonymous user?

With web apps its very easy to introspect them and see the API requests and their responses by just using the developer tools on the browser.

For mobile apps more work its required but a plethora of open source tools exist to make it easy and in some cases trivial to the point that even non developers can do it, thus making the task of securing an API server very hard, but not impossible.

So, do to the completely different way how the web and mobile devices work the approaches to secure them will differ.

Are Captchas actually helpful in this scenario?

Captcha gives you a score to tell you a likely who is in the request is a real human. At the best score it cannot guarantee with an high degree of confidence that what is doing the request is indeed what your API server expects, a genuine and untampered version of your web or mobile app.

To learn some useful techniques to help your API backend to try to respond only to requests coming from what you expect, your genuine web app, you can read my answer to the question Secure api data from calls out of the app, especially the section dedicated to Defending the API Server.

It's more of a general question, but What is the recommended way to protect APIs used in SIGN UP processes?

Despite not being specifically for the signup process I recommend you to read this answer I gave to the question How to secure an API REST for mobile app?, especially the sections Hardening and Shielding the Mobile App, Securing the API Server and A Possible Better Solution.

From that answer the better approach that can be employed is by using a Mobile App Attestation solution that will enable the API server to know is receiving only requests from what it expects, a genuine and untampered version of your mobile app.

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

OWASP API Security Top 10

The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

OWASP Mobile Security Project - Top 10 risks

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

The Web Security Testing Guide:

The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.

In my opinion, you are leveraging Gitlab (for storing logs, metrics, app data, etc.) in the wrong way. Source control management (SCM) systems are meant for your source-code, and clearly not for application logs or any data your app is producing.

Instead, for this you would use tools like e.g. CloudWatch logs, S3, any other data source (ElasticSearch, DynamoDB, RDS, etc.). So your application (Amppot) should be instrumented accordingly.

If you pick CloudWatch for logs and metrics collection, you could configure Amazon CloudWatch agent on your EC2 instance and instrument it to push your logs (that your application is producing) to a CloudWatch log group. See documentation here.

Your app would push its stderr and stdout streams into local files (e.g. /var/log/amppot.log), and CloudWatch agent would sync them with AWS CloudWatch service.

If, despite of the above, you still want to push your application files to Gitlab (from your EC2), then simply configure a cron job, that will execute the following bash script on a regular interval:

Well after alot of search I came to this :