Skip to content

Rate Limiting

Rate limiting is a crucial aspect of web application security. It helps prevent various types of attacks such as brute force and enumeration attacks, Denial of Service (DoS) and Distributed Denial of Service (DDoS), and site scraping. This technique is designed to restrict access to resources for clients that generate excessive requests.

Peakhour.IO provides a sophisticated solution for rate limiting, offering a variety of methods for selecting clients to rate limit and the types of rate limits that can be applied. You can enhance your rate limiting configurations by using rule lists to manage sets of IP addresses, ASNs, or other criteria.

Understanding Rate Limit Zones

For more advanced and stateful rate limiting, Peakhour uses Rate Limit Zones. A zone is a named, stateful counter that tracks request rates for specific segments of traffic. Each zone has its own configurable request threshold, time interval, and block duration, allowing for highly granular control.

Unlike simple, stateless rate limits, zones allow you to build sophisticated, multi-stage logic that can react to client behavior over time. This is achieved by using different rule phases to interact with a zone's counter.

By using zones, you can:

  • Create granular policies: Apply different limits to different parts of your site (e.g., stricter limits for login pages vs. general browsing).
  • Track behavior separately: Use one zone to count all API requests, and a second, more restrictive zone to count only API requests that result in an error.
  • Build multi-stage logic: A client can be added to a zone in one phase (e.g., rate_limit_response for a failed login) and then checked against that zone in a subsequent request (in the rate_limit_request phase). This allows you to create policies that respond to a client's previous actions.
  • Key on different attributes: Zones can track clients based on a variety of attributes, providing flexibility for different applications. Available key types include:
    • IP address (ip)
    • Country (country)
    • ASN (asn)
    • HTTP Header (header)
    • Cookie (cookie)
    • TLS Fingerprint (fingerprint_tls)
    • HTTP/2 Fingerprint (fingerprint_h2)

Zones are managed in the Rate Limiting section of the dashboard and are applied using the add_zone and check_zone actions within the Rules Engine. For a detailed guide, see How to Configure Rate Limit Zones.

Note: Peakhour provides two ways to implement rate limiting: 1. Using Rule Phases: The rate_limit_request, rate_limit_request_late, and rate_limit_response phases provide the most flexibility, allowing for complex, multi-stage logic using add_zone and check_zone actions. This is the recommended approach for most use cases. 2. Using URL Configuration: The url_config phase can apply a simple rate limit zone to matching traffic using the vconf.set action. This method is less flexible but can be useful for simple cases.

Stopping Attacks with Rate Limiting

Rate limiting is not just limited to stopping malicious attacks on web applications. It can also protect APIs and other endpoints from abuse or misuse, while maintaining service availability.

How Rate Limiting Works

Rate limiting focuses on the client and their IP address. Peakhour.IO offers several measures for tracking client requests, including:

  1. Concurrent connections
  2. Connections per interval
  3. Hits per interval
  4. HTTP 4xx responses per interval
  5. HTTP 5xx responses per interval
  6. Custom criteria

Granular Rate Limiting

Peakhour.IO's wirefilter rules allow for granular rate limiting by identifying clients using both the HTTP request and response. This allows for segregation of rate limits based on specific criteria, such as URL, response codes, GeoIP information, parsed user agent information, and various meta information from Peakhour's BOT protection service.

Defining Your Rate Limits

Defining appropriate rate limits can be challenging without adequate analytics. The Peakhour dashboard provides rate-based analytics to help you with the setup process.

If you're looking for a secure and effective solution to protect your website, rate limiting with Peakhour.IO can be an excellent option. If you have any questions or need further assistance, reach out to Peakhour support.