AC
AC
2 min read

Rate limiting

Rate limits protect web applications from clients performing excessive requests. Peakhour.IO fully supports rate limits with sophisticated methods for selecting clients to rate limit and the types of rate limits that may be employed.

What kinds of attacks are stopped by rate limiting

When protecting an application using rate limiting, several types of attacks are considered:

  • Brute force and enumeration attacks
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS)
  • Site scraping
  • Vulnerability Scanners

What else can rate limiting protect

Public APIs and authenticated APIs can be subject to both abuse or miss use. Sensible rate limit policies can be applied on these endpoints to prevent both attack and maintain service availability. Rate limiting can protect:

  • APIs
  • Overzealous 'good bots'

How does it work?

Rate limiting focuses on a connecting client and their IP address. The following measures are available for tracking client requests for rate limiting:

  • Concurrent connections
  • Connections per interval
  • Hits per interval
  • HTTP 4xx responses per interval
  • HTTP 5xx responses per interval
  • Custom criteria

How granular can rate limiting be?

Through the use of wirefilter rules, rate limiting can identify clients using both the HTTP request and response and allows segregation of rate limits. For example the URL /api can be rate limited separately to the /login endpoint. Rate limits can be set on response codes, for example the endpoint /search can be protected from scraping by rate limiting clients with excessive 4xx response codes.

What types of criteria can be used to define rate limits?

Rate limits can include any information defined in a HTTP request and response, including:

  • IP address
  • URL
  • Query string
  • Headers
  • Response codes
  • GeoIP information such as ASN or country code
  • Parsed user agent information allowing differing rules for search engines vs generic 'bots'
  • Various meta information we make available from our BOT protection service

Defining your rate limits

Picking sensible rate limits can be difficult without adequate analytics as to how the web application is typically used. The Peakhour dashboard includes rate based analytics to help with set up.

If you need help protecting and securing your website and rate limiting seems like something you need to do, reach out to see how we can help.

© PEAKHOUR.IO PTY LTD 2024   ABN 76 619 930 826    All rights reserved.