In this recurring blog series, we discuss one of the countermeasures in UltraWAF, our Web Application Firewall and Bot Management solution.
If you’re not using UltraWAF and want to get protection for your online presence, get in touch with us via the “Speak to Sales” button on our website.
Our countermeasure of the month is Rate Limiting. It is part of the Bot Profile under the Protections tab, but it also has a lot of use in protecting a website against HTTP GET floods, credential stuffing, and other web application attacks that have a volume component.
Rate Limiting can be performed across the entire site (Source_IP), across a specific URL, or against a specific session identified by a cookie name. The rate control specifies a rate in number of HTTP requests and an accounting period, measured in milliseconds.
In this example, we have 3 rate controls configured:
- A sitewide rate control set at 200 requests in 3 seconds to stop application-layer DDoS attacks.
- A session rate control against the _gid cookie set at 450 requests in 60 seconds to block site scrapers, vulnerability scanners, and other busy clients. It’s also possible to send a HTTP 429 response to scrapers using Responder Policy.
- A URL-specific rate control on /wp-login.php set at 10 requests in 10 seconds top stop credential stuffing or other attacks against the login page. By scoping the rate control just to one page, it is possible to set a much lower rate and sample period.
To learn more about our UltraWAF solution, please visit our product page.
