Distributed Denial Of Service in Axum

Distributed Denial of Service (DDoS) attacks in Axum applications exploit the framework's asynchronous, high-concurrency nature. Unlike traditional web frameworks, Axum's design with Tokio's multi-threaded runtime and non-blocking I/O creates unique attack surfaces that can be leveraged to exhaust system resources.

The most common DDoS pattern in Axum involves overwhelming the connection pool. Axum uses Tokio's multi-threaded runtime by default, which can spawn hundreds of worker threads. An attacker can open thousands of concurrent connections, each consuming a Tokio task and potentially a thread from the pool. Since Axum doesn't impose default connection limits, this can lead to thread exhaustion and complete service unavailability.

Another critical vulnerability stems from Axum's default request handling. Each incoming request spawns a Tokio task, and without proper backpressure mechanisms, an attacker can flood the system with requests faster than they can be processed. This creates a situation where the Tokio scheduler becomes overwhelmed, leading to increased latency for legitimate requests and eventual service degradation.

Resource exhaustion attacks specifically target Axum's memory usage patterns. The framework's default JSON deserialization using serde_json can be exploited through malformed or excessively large payloads. An attacker can send requests with massive JSON objects or arrays, causing the deserialization process to consume significant memory before the request is even processed. This is particularly dangerous because Axum processes requests asynchronously, allowing many such memory-intensive operations to occur simultaneously.

Rate limiting is notably absent from Axum's core functionality, making it vulnerable to volumetric attacks. Without built-in rate limiting middleware, an attacker can send thousands of requests per second to a single endpoint, overwhelming the application's ability to respond. This is especially problematic for computationally expensive endpoints, such as those performing database queries or complex calculations.

The Tokio runtime configuration in Axum applications also presents a DDoS vector. By default, Axum applications use Tokio's multi-threaded scheduler with a thread pool size based on the number of CPU cores. An attacker can exploit this by creating a high volume of I/O-bound operations that keep threads busy, preventing legitimate requests from being processed. This is particularly effective when combined with slowloris-style attacks that keep connections open with partial requests.

Here's a vulnerable Axum endpoint that demonstrates these issues:

use axum::{routing::post, Router, Json, http::StatusCode};
use serde::{Deserialize, Serialize};
use tokio::task;

#[derive(Deserialize)]
struct ProcessRequest {
    data: Vec<u8>,
    iterations: usize,
}

async fn process_data(payload: Json<ProcessRequest>) -> Result<Json<ProcessResponse>, StatusCode> {
    // CPU-intensive operation without any limits
    let result = task::spawn_blocking(move || {
        let mut data = payload.data.clone();
        for _ in 0..payload.iterations {
            // Simulate expensive computation
            data = expensive_computation(data);
        }
        data
    })
    .await
    .unwrap();
    
    Ok(Json(ProcessResponse { processed: result.len() }))
}

fn expensive_computation(data: Vec<u8>) -> Vec<u8> {
    // Simulate CPU-intensive work
    data.into_iter().map(|b| b.wrapping_mul(2)).collect()
}

This endpoint is vulnerable because it accepts arbitrary iteration counts and data sizes without validation, performs CPU-intensive work without rate limiting, and uses spawn_blocking without considering the Tokio thread pool capacity. An attacker could send requests with iterations: 1000000 and large data vectors, consuming significant CPU resources across all available threads.

Detecting DDoS vulnerabilities in Axum applications requires understanding both the framework's architecture and the specific attack patterns that target it. The most effective detection approach combines runtime monitoring with static analysis of the codebase.

Runtime monitoring should focus on Tokio-specific metrics. Since Axum applications run on Tokio's runtime, monitoring the number of active tasks, pending tasks in the queue, and thread pool utilization provides early warning signs of DDoS attacks. Tools like tokio-console can help visualize these metrics in real-time, showing when the number of active tasks spikes unexpectedly or when the task queue depth grows beyond normal operating parameters.

Connection monitoring is critical for Axum applications. Unlike traditional frameworks, Axum's asynchronous nature means that connections can remain open for extended periods without consuming threads, but they still consume resources. Monitoring open connection counts, connection establishment rates, and connection lifetime distributions helps identify slowloris-style attacks or connection exhaustion attempts.

CPU and memory usage patterns specific to Axum's execution model should be monitored. Since Axum uses Tokio's multi-threaded runtime, sudden spikes in CPU usage across multiple cores can indicate a DDoS attack targeting CPU-intensive endpoints. Memory usage should be monitored for abnormal growth patterns, particularly in applications that process large JSON payloads or perform data-intensive operations.

Static analysis of Axum code can reveal DDoS vulnerabilities before deployment. Key areas to examine include:

• Endpoints that accept unbounded input sizes or iteration counts
• Functions using spawn_blocking without considering thread pool limits
• Endpoints performing expensive computations without rate limiting
• Code paths that create unbounded futures or async operations
• Missing timeout configurations on requests or operations

middleBrick's API security scanner specifically targets these Axum vulnerabilities through its black-box scanning approach. The scanner tests for connection exhaustion by establishing multiple concurrent connections to identify endpoints that don't enforce connection limits. It also evaluates rate limiting effectiveness by sending rapid sequential requests to measure response throttling.

The scanner's Input Validation check examines how Axum endpoints handle malformed or oversized payloads, testing for memory exhaustion vulnerabilities. For computationally expensive endpoints, middleBrick evaluates whether proper resource limits are in place by measuring response times under load and checking for graceful degradation.

Here's how middleBrick reports DDoS-related findings in Axum applications:

{
  "category": "Rate Limiting",
  "severity": "high",
  "finding": "Missing rate limiting on /api/process endpoint",
  "description": "The endpoint accepts unlimited requests without any throttling mechanism, allowing potential volumetric DDoS attacks.",
  "remediation": "Implement rate limiting middleware using tower::rate_limit or axum_extra::rate_limit",
  "evidence": {
    "test_results": [
      {"requests_sent": 100, "responses_received": 100, "avg_response_time": 12.5},
      {"requests_sent": 1000, "responses_received": 1000, "avg_response_time": 250.3}
    ]
  }
}

This structured reporting helps developers understand exactly which endpoints are vulnerable and what specific protections are needed. The evidence section provides concrete data showing how the endpoint behaves under load, making it easier to prioritize remediation efforts.

Remediating DDoS vulnerabilities in Axum applications requires a multi-layered approach that leverages the framework's extensibility while addressing its inherent architectural characteristics. The most effective strategy combines rate limiting, resource constraints, and proper Tokio runtime configuration.

Implementing rate limiting is the first critical step. Axum doesn't include built-in rate limiting, but the axum_extra crate provides middleware specifically designed for this purpose. Here's how to implement rate limiting for an Axum application:

use axum_extra::rate_limit::{RateLimit, RateLimitLayer};
use axum::{routing::post, Router, Json};
use std::time::Duration;

// Create a rate limiter that allows 100 requests per minute
let rate_limit_layer = RateLimitLayer::new(100, Duration::from_secs(60));

async fn process_data(payload: Json<ProcessRequest>) -> Result<Json<ProcessResponse>, StatusCode> {
    // Your processing logic here
    Ok(Json(ProcessResponse { processed: payload.data.len() }))
}

let app = Router::new()
    .route("/api/process", post(process_data))
    .layer(rate_limit_layer); // Apply rate limiting to all routes

This implementation limits each client to 100 requests per minute, providing basic protection against volumetric attacks. The rate limiter uses a sliding window algorithm to ensure fair distribution of requests across time.

For CPU-intensive operations that are particularly vulnerable to DDoS attacks, implementing request timeouts and task limits is essential. Axum applications should use Tokio's timeout mechanisms to prevent long-running operations from consuming resources indefinitely:

use axum::{routing::post, Router, Json, http::StatusCode};
use tokio::time::{timeout, Duration};

async fn process_data(payload: Json<ProcessRequest>) -> Result<Json<ProcessResponse>, StatusCode> {
    // Set a 30-second timeout for the entire operation
    match timeout(Duration::from_secs(30), process_with_timeout(payload)).await {
        Ok(result) => result,
        Err(_) => Err(StatusCode::REQUEST_TIMEOUT),
    }
}

async fn process_with_timeout(payload: Json<ProcessRequest>) -> Result<Json<ProcessResponse>, StatusCode> {
    // Process data with internal timeouts for sub-operations
    let result = task::spawn_blocking(move || {
        // CPU-intensive work with internal limits
        let mut data = payload.data.clone();
        for i in 0..payload.iterations {
            if i % 100 == 0 {
                // Check if we should continue (can be replaced with actual cancellation)
                if should_cancel() {
                    return Err(StatusCode::TOO_MANY_REQUESTS);
                }
            }
            data = expensive_computation(data);
        }
        Ok(data)
    })
    .await??;
    
    Ok(Json(ProcessResponse { processed: result.len() }))
}

This approach ensures that even if an attacker sends requests with extremely high iteration counts, the operation will time out after 30 seconds, freeing up resources for other requests.

Memory usage limits are critical for preventing DDoS attacks that exploit deserialization vulnerabilities. Axum applications should validate input sizes before processing:

use axum::{routing::post, Router, Json, http::StatusCode, extract::FromRequestParts};
use http::request::Parts;
use serde::{Deserialize, Serialize};

#[derive(Deserialize)]
struct ProcessRequest {
    data: Vec<u8>,
    iterations: usize,
}

struct ValidatedRequest {
    data: Vec<u8>,
    iterations: usize,
}

#[async_trait]
impl FromRequestParts<B> for ValidatedRequest
where
    B: Send,
{
    type Rejection = StatusCode;

    async fn from_request_parts(parts: &mut Parts, body: &mut B) -> Result<Self, Self::Rejection> {
        // Extract and validate the JSON body
        let payload = Json<ProcessRequest>: from_request_parts(parts, body).await.map_err(|_| StatusCode::BAD_REQUEST)?;
        
        // Validate input sizes
        if payload.data.len() > 1_000_000 {
            return Err(StatusCode::PAYLOAD_TOO_LARGE);
        }
        
        if payload.iterations > 10_000 {
            return Err(StatusCode::BAD_REQUEST);
        }
        
        Ok(ValidatedRequest {
            data: payload.data,
            iterations: payload.iterations,
        })
    }
}

async fn process_data(ValidatedRequest { data, iterations }: ValidatedRequest) -> Result<Json<ProcessResponse>, StatusCode> {
    // Safe to process - inputs are validated
    Ok(Json(ProcessResponse { processed: data.len() }))
}

This validation layer prevents attackers from sending excessively large payloads or requesting an unreasonable number of iterations, protecting against memory exhaustion attacks.

Connection limits should be implemented at the infrastructure level, but Axum applications can also help by using appropriate Tokio runtime configurations. For applications expecting high traffic, consider using Tokio's basic scheduler instead of the default multi-threaded scheduler:

use axum::{routing::post, Router, Json};
use tokio::runtime::Builder;
use tokio::task::BasicScheduler;

#[tokio::main]
async fn main() {
    // Create a runtime with specific thread pool configuration
    let runtime = Builder::new_current_thread()
        .enable_all()
        .build()
        .unwrap();
    
    runtime.block_on(run_app());
}

async fn run_app() {
    let app = Router::new()
        .route("/api/process", post(process_data));
    
    // Start the server with custom configuration
    axum::Server::bind(&[([127, 0, 0, 1], 3000)])
        .serve(app.into_make_service())
        .await
        .unwrap();
}

This configuration gives you more control over how Axum handles concurrent requests and can be tuned based on your specific performance requirements and expected traffic patterns.