Rate Limiting

Rate Limiting can identify clients with excessively high request rates and carry out pre-defined actions. The using scenarios are as follows:

• Restrict the access of clients to specific website resources.
• Mitigate DDoS attacks or Bot traffic.

Steps:

1. Log in to the Console, find the security product in use under Subscribed Products.
2. Go to Security Settings > Policies.
3. Find the hostname for security policy configuration, and click .
4. Go to Rate Limiting tab. If this policy is off, turn it on.

Create a Rate Limiting rule

• Switch to Rate Limiting from the Security Settings page.
• On the Rate Limiting tab, click Create.
• In Rule Name, enter a name without any special character or space.
• If needed, input the Description.
• Select the ** Protected Target**. If you want to configure custom rules for a defined API, please select API; otherwise, please select Website.
• At least one match condition should be configured. For details of supported matching conditions, please refer to the Match Conditions. Multiple matching conditions are subject to the “AND” relationship.
• In Statistical Dimensions, select the type of requests you want to tally:
  • Client IP
  • User-Agent
  • Cookie
  • Request Header
  • URL
• In Trigger Condition, input the counting period (in seconds) and the requesting rate threshold.
• Click Confirm to save the changes.
• Click Publish Changes to make the configuration take effect.

Example

Below is an example of a Rate Limiting rule:

• Client Identifier: IP + Cookie (requests sharing the same IP and the same Cookie are identified as the same client)
• URL: http://www.test.com/test.html
• Triggering Threshold: 10 requests per 60-second window
• Action: Block the client for 600 seconds