Podcast: ThinkingElixir 93 - Preventing Service Abuse with Michael Lubas

In episode 93 of Thinking Elixir, we talk with Michael Lubas about protecting our Phoenix applications from common automated bot attacks. We cover API abuse to send email spam, carding attacks, credential stuffing and more!


As a Developer Advocate for API Security I loved to listen to this episode.

One thing that developers of several levels of seniority commonly fail to grasp is the difference between who is in the request vs what is making the request. When this difference becomes ingrained in their minds, then they will reason about the security of the endpoint they are about to create/fix/improve with another mindset.

I wrote this article that as a section about it, but the main takes are:

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

Now we need a way to identify what is calling your API server, and here things become more tricky than most developers may think. The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

While the article was wrote in the context of Mobile API security, the who vs what remains the same for any type of app.

Beware, that sometimes the attacker is a legit user of your app, trying to gamify is way around your service, like getting more reward points.

I really hope that @realcorvus succeeds in endeavour of being the first bot detection tool dedicated only to Elixir. We need more initiatives in the security space, because the bad guys are not sleeping in the couch.


Thank you! I’m glad you enjoyed the episode. Traffic classification is a difficult problem that’s a big focus for paraxial.io. I agree with your article that API endpoints exposed to the open internet are frequently the target of malicious requests. Dealing with an automated attack that becomes an incident is usually a rough day at work, hopefully these discussions help prevent that.


Also, I would like to point that you have shodan.io that monitors all IPs for insecure software/servers. This service does what a lot attackers do on their own or by using this service.


I wrote a simple blog post of how I do it with remote_ip and plug_attack with Metamorphic while respecting people’s privacy.

I also wrote another on rate limiting login attempts while also respecting privacy.

It was super great to listen to this episode, and I always look forward to Tuesday mornings with your podcast. :blush:

I was so excited to share I forgot to mention that I am also with @Exadra37 in hoping you succeed. And curious to see how it will positively impact security in Elixir.