On September 20, 2018 we launched a new rate limitation engine for StackPath WAF which is now available for all WAF customers. The rate limitation engine allows customers to rate limit traffic based on the number of requests per a defined time interval per IP, configure rules for a specific URL (regex is optional), and whitelist specific HTTP methods.
Rate limitation rules are considered “WAF Custom Rules” and are included in our packages. The number of rules varies based on the packaged selected. Rate limitation requests are counted as “WAF Requests”. Details about the number of WAF Custom Rules and WAF Requests per month included in every package can be found on the pricing page.
There are a number of scenarios in which a rate limitation rule can help you protect your online application. Here are three examples:
Rate limitation can be used to block malicious traffic. By doing so, you can improve performance and reduce the infrastructure needed to support your APIs.
Brute Force Attempts
Customers who used rate limitation rules to protect their login and signup pages reported a significant reduction in the number of false logins attempts and fake signups.
Block Malicious Traffic
Several of our existing WAF policies are based on the rate limitation engine which is now available to any WAF customer. We are using the same rate limitation capabilities to successfully block malicious traffic from reaching the thousands of WAF protected sites already on our network.
Full details about rules that were triggered is available under the WAF overview page. Every time a rule threshold is met a security event is created with details about the request that triggered the rule. This useful information provides you the data you need to make better decisions about the security configuration of your online application.
Creating rate limitation rules
Full details about creating a rate limitation rule are available in our Help Center.
In the coming weeks we’re adding new capabilities that will make the rate limitation and WAF custom rules even more powerful.
- Custom response code: The ability to configure a specific response code for the WAF block action (current block action returns 403 by default).
- Time Based Actions: Configure a time frame on which a user will be blocked from accessing your application when a security rule is met. This will allow you to have more control over who accesses your application.
Do you have additional feature requests? We’re eager to hear them. Please provide your feedback in the StackPath portal here.