May 11 2023
Apr 18 2023
On September 20, 2018 we launched a new rate limitation engine for StackPath WAF which is now available for all WAF customers. The rate limitation engine allows customers to rate limit traffic based on the number of requests per a defined time interval per IP, configure rules for a specific URL (regex is optional), and whitelist specific HTTP methods.
Rate limitation can be used to protect your online application against different types of abusive behavior such as application layer DDoS attacks, content scraping, brute force attempts, and blocking vulnerability scanners. When a rate limitation rule is met the challenge that was configured will be applied. The following challenge types are available: block, Captcha, JavaScript challenge, and monitor.
Rate limitation rules are considered “WAF Custom Rules” and are included in our packages. The number of rules varies based on the packaged selected. Rate limitation requests are counted as “WAF Requests”. Details about the number of WAF Custom Rules and WAF Requests per month included in every package can be found on the pricing page.
There are a number of scenarios in which a rate limitation rule can help you protect your online application. Here are three examples:
API Protection
Rate limitation can be used to block malicious traffic. By doing so, you can improve performance and reduce the infrastructure needed to support your APIs.
Brute Force Attempts
Customers who used rate limitation rules to protect their login and signup pages reported a significant reduction in the number of false logins attempts and fake signups.
Block Malicious Traffic
Several of our existing WAF policies are based on the rate limitation engine which is now available to any WAF customer. We are using the same rate limitation capabilities to successfully block malicious traffic from reaching the thousands of WAF protected sites already on our network.
Full details about rules that were triggered is available under the WAF overview page. Every time a rule threshold is met a security event is created with details about the request that triggered the rule. This useful information provides you the data you need to make better decisions about the security configuration of your online application.
Full details about creating a rate limitation rule are available in our Help Center.
In the coming weeks we’re adding new capabilities that will make the rate limitation and WAF custom rules even more powerful.
Do you have additional feature requests? We’re eager to hear them. Please provide your feedback in the StackPath portal here.