Are you currently experiencing an attack?

Are you currently experiencing an attack?

EdTech Platform Gets Managed API Security, DDoS Protection, and Account Takeover Prevention on AWS

Formative (formative.com) provides student assessment and teaching capabilities to schools and districts around the world. As a leading EdTech platform, Formative includes a variety of interactive technologies: audio, video, digital whiteboards, messaging, live collaboration, and more. Continuous availability of its primary web application and API are vitally important.

“We were having some problems with Denial of Service attacks,” said Dobes Vandermeer, Formative’s Lead Developer. “HTTP request floods were being sent to our website, seemingly at random. There were some big attacks, with many thousands of requests per second.

“We were able to mitigate them using CloudFront and AWS Shield. But these can only cover the HTML part of an application.

“Our API isn’t suitable for caching, so CloudFront can’t protect it. So we started looking for DDoS protection that has the ability to protect our API.”

Selecting a DDoS Protection Solution

Mr. Vandermeer continued, “Also, we wanted a system that’s smart enough to handle the logic that we wanted. We want to be able to throttle incoming traffic based on multiple conditions, such as user IDs for example.”

Many web security solutions offer DDoS protection, but most are based on simple IP tracking. These solutions can be defeated by common hacker tactics such as IP rotation. Mr. Vandermeer noted, “We were looking for a product that was smarter, so we could have more precise targeting and protection. We wanted to block attacks on our API, without a lot of false positives.”

After evaluating several security solutions, Formative chose Reblaze. Mr. Vandermeer said, “Most of the others were eliminated because their DDoS rules engine wasn’t sophisticated enough.

“Reblaze is more intelligent, and it has a powerful rules system. We can specify the conditions to filter requests, and we can define separate rules for different URLs. The key thing for us is that it’s more than just throttling based on IP addresses. That was probably the biggest difference from most of the other products out there, that it can filter traffic based on headers and other things.”
Other Benefits

Although Formative’s initial motive was to protect their API against DDoS attacks, Mr. Vandermeer noted that Reblaze has other benefits as well, such as its advanced rate limiting module. “We were having sign-up floods, where one person would create hundreds of accounts. Or we’d have password-guessing attacks [where an attacker would try to take over accounts by brute-forcing a login form]. With Reblaze, we can set up throttling to prevent people from doing these things.”

Another plus is that Reblaze deploys either right in front of the protected environment, or even directly within the customer’s VPC. Mr. Vandermeer said,

“I don’t have to worry about adding latency, because my traffic isn’t going to someone else’s data center and then back to ours. We run Reblaze in the same AWS region and zone as our application.”

This also preserves data privacy, since traffic is not processed on external infrastructure.

Fully Managed

Reblaze is a fully managed solution, maintained remotely by Reblaze personnel. Customers can manage their own deployments if they want, but many choose not to do so. Mr. Vandermeer said, “I actually don’t use Reblaze that much. We just set up the rules, and now, whenever we need a change, we don’t necessarily login to Reblaze ourselves. We just send in a support ticket, and the Reblaze team changes it for us.

“The support response times are good, generally within one business day. There are vendors where they’re supposed to have a one-day turnaround, but then things slip through the cracks and it takes several days instead. But Reblaze has always been on top of that.”
The Reblaze SOC also monitors Formative’s traffic for them. “And whenever they notice something suspicious, they reach out to us and tell us ‘we blocked these IP addresses’ or whatever. That’s nice to have.”
“Reblaze has a highly advanced product. They have good support. And it’s been trouble- free and smooth sailing.”
INDUSTRY
EdTech
CHALLENGES
  • Defending an API against DDoS
  • Gaining targeted, precise protection (beyond simple IP-based filtering)
  • Defeating ATO (Account Takeover) attacks
  • Avoiding the latency and privacy compromises that most third-party security solutions include
SOLUTION
Reblaze was deployed on AWS, in the same region and zone as Formative’s application.
RESULTS
  • Formative’s API now has robust protection against DDoS and other attacks.
  • Security policies are highly customizable and targeted.
  • Reblaze is performant and preserves complete data privacy.
  • The Reblaze team manages and monitors Formative’s deployment.

For more Case Studies and Success Stories

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.