This tutorial covers advanced use cases for Peakhour.IO.
This use case demonstrates how to use the Rate Limit Request and Rate Limit Response phases to limit requests based on the origin server's response.
Set up a rate limit zone for failed logins in the Rate Limit Request phase:
Wirefilter:
http.request.uri.path == "/login"
Configuration:
rate_limit.add_zone:
zone: "login_attempts"
key:
- type: "ip"
In the Rate Limit Response phase, check for a failed login response and add the client to a more restrictive zone:
Wirefilter:
http.request.uri.path == "/login" and http.response.code == 401
Configuration:
rate_limit.add_zone:
zone: "failed_logins"
key:
- type: "ip"
rate_limit.check_zone:
zone: "failed_logins"
action:
type: "block"
status_code: 429
This configuration creates two rate limit zones: one for all login attempts and another for failed logins.
Rate limit clients that generate too many 404 errors:
Wirefilter:
http.response.code == 404
Configuration:
rate_limit.add_zone:
zone: "not_found_errors"
key:
- type: "ip"
rate_limit.check_zone:
zone: "not_found_errors"
action:
type: "challenge"
status_code: 403
This configuration challenges clients that generate an excessive number of 404 errors.
Protect your login page from automated attacks:
Wirefilter:
http.request.uri.path == "/login" and not bot.verified
Configuration:
firewall.challenge:
reason: "Bot verification required for login"
This configuration challenges unverified bots attempting to access the login page.
Add security to your API endpoints:
Wirefilter:
starts_with(http.request.uri.path, "/api/") and not (fingerprint.tls in $allowed_tls_fingerprints)
Configuration:
firewall.deny:
reason: "Unauthorised API access attempt"
This configuration blocks API access attempts from clients with unrecognised TLS fingerprints. Create a rule list named allowed_tls_fingerprints
with the TLS fingerprints of your authorised clients.
Protect against potential abuse from data centre IP ranges:
Wirefilter:
ip.geoip.asnum in $data_centre_asns
Configuration:
firewall.challenge:
reason: "Verification required for data centre IP"
This configuration challenges requests originating from known data centre IP ranges. Create a rule list named data_centre_asns
with the ASNs of major data centres.