You know the age-old saying “it only takes one bad apple to spoil the bunch?” The idiom rings just as true in the digital age. Despite our best efforts, it can take only one (or a few) bad actors or threats to degrade and crash an instance, bringing work to a grinding halt.

This reality presents a universal challenge for modern-day enterprises. As a company scales, the number of REST API requests and other CPU-intensive actions naturally rises, significantly increasing the likelihood of an incident, which impacts the entire (growing) organization.

With its clustered architecture and failover capabilities, stability, performance, and scale have always been core tenants of Data Center’s offering. And now, we’re expanding on this offering with self-protection capabilities for Data Center, including rate limiting for Jira Software, Jira Service Desk, Confluence, and Bitbucket, and external process pool for Confluence. Mission-critical tools can now be made safer from threats and bad actors (malicious or not), keeping your organization up and running.

REST assured with self-protection

There are a variety of threats and actions that can impact an instance, but one of the most common offenders is CPU spikes. While we can’t protect against every instigator, rate limiting will solve for HTTP REST API requests and flooding – a known bad actor. Additionally, external process pool for Confluence will target a particular set of memory- or CPU-intensive actions.

Self-protection will prevent several causes of performance degradation and outages:

  • REST APIs being called too frequently
  • REST APIs that return large amounts of data in a single call (which are already heavy) being called too frequently
  • Poorly written scripts or external automation that call APIs too frequently or don’t cache data
  • Thumbnail generation, file previews, and PDF exports for Confluence (external process pool)

While there will always be vulnerabilities to your instance, with self-protection capabilities you can rest assured that REST API issues won’t be one of them.

token bucket diagram

How we’re keeping your instance safe

Protect your Bitbucket Data Center instance from abuse with rate limiting

Utilizing the token bucket algorithm, rate limiting allows you to control the rate of incoming and outgoing HTTP traffic, preventing API flooding. Each user is given a full token bucket (unique to the user), and every time they make an HTTP request, one token is removed from their bucket. Over a period of time, new tokens accumulate at a constant rate (the token bucket refill rate) until the bucket is full again. Admins can set global and custom (user-by-user) thresholds for the numbers of requests allowed in a specific time frame. Requests will only be granted if a user has enough tokens in their bucket.

External process pool minimizes the impact of particular known memory or CPU intensive actions (like thumbnail generation, file previews, and PDF exports) by handling them in a separate pool of processes, managed by Confluence. These processes (also known as sandboxes) can crash or be terminated and will be restarted automatically by Confluence without affecting the Confluence users or the application itself. Like rate limiting, external process pool offers custom configurations, which allow administrators to change the size of the pool and the amount of memory a process can consume.

The benefits of self-protection

Rate limiting is a powerful and robust feature offering a lot more value than just controlling the rate of traffic.

  • Visibility and insights: Knowledge is power, and with it, admins can shift from constantly being in fire-fighting mode to being a strategic partner. With the ability to see who is being rate limited, how many times requests are being limited, and when a user was last limited, admins can drive a better experience for the entire user base by identifying trends and coaching repeat offenders.
  • Security and control: Rate limiting adds a level of security and control to an organization’s instance that was previously not available. With custom configurations, admins can optimize user experience based on individual needs, or simply add users to an allow-list, bypassing all restrictions. Jira and Confluence offer a block-listing capability to prevent certain users from acting at all for security purposes.
  • Stability and performance: Both rate limiting and external process pool provide enterprises a more stable, reliant, and performant application by regulating CPU volume. Additionally, both features were designed to have a negligible effect on the performance of your system.

Protected instances lead to happy enterprises

The importance of protecting your application grows exponentially as your enterprise scales, and with self-protection capabilities, many worst-case incidents can be avoided. Whether users are rate limited from the start or run in a separate process pool, prevented downtime benefits everyone. End users are free to do the work they need and admins can focus on optimizing the instance, while business leaders can feel secure in their tools without worrying about impacted revenue from downtime.

. . .

For more on self-protection capabilities for Data Center, watch our free webinar, “How to protect your Data Center instance from threats.”

Self-protection capabilities for Jira Software, Jira Service Management, Bitbucket, and Confluence Data Center