Rate Rules

A rate rule restricts the flow of site traffic with the intention of:

Requests that exceed the rate limit may be dropped, redirected to another URL, or sent a custom response. The type of enforcement action that will take place is determined by the Security Application Manager configuration that leverages it.

How Does It Work?

A rate rule restricts the rate of traffic that may be directed to one or more web sites. HTTP/HTTPS requests that exceed a rate rule will not be honored.

Key information:

Configuration

Setting up a rate rule involves determining how requests are grouped and a rate limit. You may also specify additional criteria to identify the set of requests to which this rate rule will be applied.

Category Description

Source

Apply a rate limit:

  • Indiscriminately across all requests.
  • To each unique client that exceeds the defined rate limit.

    A unique client may be identified by its user agent and/or IP address.

Rate Limit

Define a maximum request rate before a predefined action is triggered.

Condition Group

A request counts towards a rate limit when it satisfies all of the following criteria:

  • A Security Application Manager configuration's hostname and URL path match conditions.
  • If one or more condition group(s) have been defined, then the request must also satisfy all of the conditions defined within at least one condition group.

    Each condition identifies the type of requests that are eligible for rate limiting by URL path, request headers, IP address, file extension, and/or request method.

Action

A Security Application Manager configuration determines the type of action that will be applied to requests that exceed the above rate limit.

Source

Rate limiting may be applied across all requests or to each unique client. Define this behavior from within the Apply rate limit to option. The available modes are described below.

Mode Description

Any request

Indicates that all requests will count towards the rate limit. Once the specified rate limit is exceeded, it will be enforced without taking into consideration which client submitted the request.

This mode is not recommended when there are malicious clients that are spoofing legitimate traffic. This type of configuration may potentially lead to a situation where spoofed traffic is honored while legitimate traffic is rate limited.

IP address

Indicates that the requests from each unique client, as determined by its IP address, will be tracked. The specified rate limit will only be enforced on the clients that exceed it.

IP address and user agent

Indicates that the requests from each unique client, as determined by each unique combination of IP address and user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). (e.g., web browser), will be tracked. The specified rate limit will only be enforced on the clients that exceed it.

All requests from a specific IP address that contain a blank or missing User-Agent header will be treated as a single client.

Rate Limit

The maximum rate at which requests will be honored before a predefined action is applied to it is known as the rate limit. A rate limit defines the number of requests over a given time period (e.g., 5 seconds, 10 seconds, or 1 minute). Define the desired rate limit via the Rate limit option.

Key information:

Condition Group

A condition group defines one or more prerequisites that must be met before a request will count towards the rate limit.

A request will only count towards the rate limit when it satisfies the host and URL path match conditions defined within a Security Application Manager configuration. Additionally, if one or more condition group(s) have been defined, then the request must also satisfy all of the conditions defined within at least one condition group.

The types of prerequisites that may be defined are described below.

Type Description

ASN

A request will count towards the rate limit when it originates from an autonomous system (AS) whose number (ASN) matches a value defined in the Value(s) option.

Example:

15133

Country

A request will count towards the rate limit when it originates from a country whose code matches a value defined in the Value(s) option.

 

File extension

A request will count towards the rate limit when the filename of the requested content contains a file extension that matches a value defined in the Value(s) option.

Syntax:

.FileExtension

Example:

.htm

IP address

A request will count towards the rate limit when its IP address matches a value defined in the Value(s) option.

Make sure to use standard IPv4 and CIDR notation.

Specify a subnet by appending a slash (/) and the desired bit-length of the prefix (e.g., 11.22.33.0/22).

Request header

A request will count towards the rate limit when the value corresponding to the specified request header is an exact case-sensitive match for the one defined in the Value(s) option.

This condition supports the following request headers:

  • Host
  • User-Agent
  • Referer
Host

A request will count towards the rate limit when its Host header matches the specified hostname or IP address.

Syntax:

  • Host
  • Host:Port

Key information:

  • The entire Host header value will be compared against the specified value.
  • The CDN only accepts HTTP/HTTPS requests on standard ports (i.e., 80 and 443). Typically, a Host request header does not include port information for standard ports. However, the requesting user agent defines the Host request header submitted to the CDN.
  • For the purpose of this comparison, the hostname defined by this match condition will not be resolved to an IP address.
  • For the purpose of this comparison, a customer origin's HTTP Host Header option is irrelevant.
User-Agent

A request will count towards the rate limit when its User-Agent header matches the specified user agent.

The request's user agent must be an exact match to the specified value. User agent strings typically vary by type and version.

Specify a blank value to match with requests that have a blank or missing User-Agent header.

Referer

A request will count towards the rate limit when its Referer header matches the specified referrer.

The request's referrer must be an exact match to the specified value.

Request method

A request will count towards the rate limit when the request's HTTP method matches a value defined in the Value(s) option. Valid values are:

GET | POST | PUT | HEAD | DELETE | OPTIONS

Request URL path

A request will count towards the rate limit when its request URL contains a relative path that matches a value defined in the Value(s) option.

For the purposes of this option, specify a URL path pattern that starts directly after the hostname. Do not include a protocol or a hostname.
Sample values:
/marketing
/800001/mycustomerorigin

This type of match condition requires a Host condition within the same condition group.

Syntax:

/path/asset

Example:

/marketing/brochures/widget.htm

A partial match does not count towards the rate limit. For example, given the above sample configuration, the following request would not count towards the rate limit: http://cdn.example.com/marketing/brochures/widget.html.

Key information:

Multiple Rate Rules

You may define multiple rate rules within a Security Application Manager configuration. This type of setup provides greater control when determining how requests will be rate limited.

Common use cases for multiple rules:

Rule Order

The order in which rules are listed is critical, since it determines which rule will be applied to a request.

It is recommended to order rules according to how they identify requests. Stricter rules that identify requests using multiple conditions should be placed closer to the top of the list, while catch-all rules should be placed closer to the bottom. This ensures that rules are applied to requests as intended.

Key information:

Rate Rule Administration

You may create, modify, and delete rate rules.

Key information:

To create a rate rule

  1. Navigate to the Rate Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Rate Rules.

  2. Click Add Rate Rule.
  3. In the Rule name option, type the unique name by which this rate rule will be identified. This name should be sufficiently descriptive to identify it when setting up a Security Application Manager configuration.
  4. In the Apply rate limit to option, indicate whether the rate limit should be applied across all requests or to each unique client.
  5. In the Rate limit option, define the maximum rate at which requests may flow to your origin server(s). Define this rate by indicating the maximum number of requests for the selected time interval (e.g., 1 second, 30 seconds, 1 minute, etc.).
  6. Optional. Create a condition group to identify the types of requests that qualify for rate limiting.

    1. Click the + New condition group label.
    2. Optional. Click on its label (e.g., Condition group 1) and then type a brief name that describes the purpose of the condition group.
    3. Select the condition (e.g., Condition 1) to view its properties.
    4. In the Match by option, select the method by which requests will be identified.

      If you set this option to Request header, then you should also select the desired request header from the Request header name option.

    5. Skip this step if you are matching by IP address. Otherwise, in the Match type option, determine whether the Value(s) option will contain one or more exact value(s) or a regular expression.

    6. Perform either of the following steps:

      • Multiple Exact Match: In the Value(s) option, type the value that must be satisfied before a request will count towards the rate rule. Repeat this step as needed. Place each desired value on a separate line.

        Use the Case sensitive option to determine whether a case-sensitive comparison will be performed.

      • Regex: In the Value(s) option, type the desired regular expression pattern.
    7. Choose whether this condition will be satisfied when a request matches or does not match a value defined in the Value(s) option.

      • Matches: Clear the Negative match option.
      • Does Not Match: Mark the Negative match option.
    8. Optional. Add another condition to the current condition group by clicking + New condition and then repeating steps iv - vii.

      If a condition group has been defined, then a request must satisfy all of the conditions within at least one condition group in order to be eligible for rate limiting.

    9. Optional. Create another condition group by following steps i - viii.

      Multiple condition groups provide the means for identifying different types of requests for the purpose of rate limiting.

  7. Click Save.

To modify a rate rule

  1. Navigate to the Rate Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Rate Rules.

  2. Click on the desired rate rule.
  3. Make the desired changes.
  4. Click Save.

To delete a rate rule

You cannot delete a rate rule that is associated with a Security Application Manager configuration. Please either modify the Security Application Manager configuration to point to a different rate rule or delete that Security Application Manager configuration.

  1. Check your Security Application Manager configurations to verify that the desired rate rule is not in use.
  2. Navigate to the Rate Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Rate Rules.

  3. Click Delete rate rule.
  4. Type DELETE.
  5. Click Delete.