Rate limits protect web applications from clients making excessive requests. Peakhour.IO supports rate limits with flexible controls for selecting which clients are limited and which type of limit applies.
What kinds of attacks are stopped by rate limiting
When an application is protected with rate limiting, the main attack patterns are:
- Brute force and enumeration attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS)
- Site scraping
- Vulnerability scanners
What else can rate limiting protect
Public APIs and authenticated APIs can be abused or misused. Sensible rate limit policies on these endpoints can reduce attack traffic and help maintain service availability. Rate limiting can protect:
- APIs
- Overzealous 'good bots'
How does it work?
Rate limiting focuses on a connecting client and their IP address. The following measures can be used to track client requests for rate limiting:
- Concurrent connections
- Connections per interval
- Hits per interval
- HTTP 4xx responses per interval
- HTTP 5xx responses per interval
- Custom criteria
How granular can rate limiting be?
Using wirefilter rules, rate limiting can identify clients from both the HTTP request and response, allowing rate limits to be separated by endpoint or behaviour. For example, the URL /api can be rate limited separately from the /login endpoint. Rate limits can also be set on response codes; for example, the endpoint /search can be protected from scraping by rate limiting clients with excessive 4xx response codes.
What types of criteria can be used to define rate limits?
Rate limits can include any information defined in an HTTP request and response, including:
- IP address
- URL
- Query string
- Headers
- Response codes
- GeoIP information such as ASN or country code
- Parsed user agent information allowing different rules for search engines vs generic 'bots'
- Metadata we make available from our BOT protection service
Defining your rate limits
Picking sensible rate limits is difficult without adequate analytics on how the web application is typically used. The Peakhour dashboard includes rate-based analytics to help with setup.
Peakhour's Application Security Platform combines high-performance CDN capabilities with security controls for applications and APIs. It maintains caching performance while applying advanced threat protection. Contact our team to discuss how rate limiting can improve application performance and security posture.
