Peakhour Documentation

Advanced Use Cases

Advanced Use Cases for Peakhour.IO#

This tutorial covers advanced use cases for Peakhour.IO.

Rate Limiting Based on Origin Server Response#

This use case demonstrates how to use the Rate Limit Request and Rate Limit Response phases to limit requests based on the origin server's response.

Failed Login Rate Limiting#

Set up a rate limit zone for failed logins in the Rate Limit Request phase:

Wirefilter: 

http.request.uri.path == "/login"

Configuration: 

rate_limit.add_zone:
  zone: "login_attempts"
  key: 
    - type: "ip"

In the Rate Limit Response phase, check for a failed login response and add the client to a more restrictive zone:

Wirefilter: 

http.request.uri.path == "/login" and http.response.code == 401

Configuration: 

rate_limit.add_zone:
  zone: "failed_logins"
  key:
    - type: "ip"
rate_limit.check_zone:
  zone: "failed_logins"
  action:
    type: "block"
    status_code: 429

This configuration creates two rate limit zones: one for all login attempts and another for failed logins.

404 Error Rate Limiting#

Rate limit clients that generate too many 404 errors:

Wirefilter: 

http.response.code == 404

Configuration: 

rate_limit.add_zone:
  zone: "not_found_errors"
  key:
    - type: "ip"
rate_limit.check_zone:
  zone: "not_found_errors"
  action:
    type: "challenge"
    status_code: 403

This configuration challenges clients that generate an excessive number of 404 errors.

Bot Challenges for Login Section#

Protect your login page from automated attacks:

Wirefilter: 

http.request.uri.path == "/login" and not bot.verified

Configuration: 

firewall.challenge:
  reason: "Bot verification required for login"

This configuration challenges unverified bots attempting to access the login page.

Securing API Endpoints with TLS Fingerprinting#

Add security to your API endpoints:

Wirefilter: 

starts_with(http.request.uri.path, "/api/") and not (fingerprint.tls in $allowed_tls_fingerprints)

Configuration: 

firewall.deny:
  reason: "Unauthorised API access attempt"

This configuration blocks API access attempts from clients with unrecognised TLS fingerprints. Create a rule list named allowed_tls_fingerprints with the TLS fingerprints of your authorised clients.

Challenging Requests from Data Centres#

Protect against potential abuse from data centre IP ranges:

Wirefilter: 

ip.geoip.asnum in $data_centre_asns

Configuration: 

firewall.challenge:
  reason: "Verification required for data centre IP"

This configuration challenges requests originating from known data centre IP ranges. Create a rule list named data_centre_asns with the ASNs of major data centres.

peakhour