Rate Limit Request Late Phase

The Rate Limit Request Late phase occurs after the WAF phase and allows rate limiting based on WAF results.

Available Actions

• rate_limit.add_zone: Adds the current request to a named rate limit zone's counter. This is useful for tracking requests that have triggered WAF rules. This action increments the count for a client but does not perform any checks itself.
• rate_limit.check_zone: Checks the current request against a named rate limit zone's counter. If the client's count exceeds the zone's threshold, the specified action (e.g., block, challenge) is triggered.

Both actions require a key to be defined to identify the client. For a full list of available key types, see the How to Configure Rate Limit Zones guide.

For a detailed guide on creating and using zones, see How to Configure Rate Limit Zones.

Fields

The Rate Limit Request Late phase provides access to the following fields:

• Standard Request Fields
• GeoIP Fields
• User Agent Fields
• Bot Fields
• Fingerprint Fields
• WAF Fields

Examples

Rate Limiting Breached Credentials

The filter matches requests where the WAF has detected an exposed password:

peakhour.waf.exposed_password

The configuration adds the request to the "exposed_password" zone and checks if it exceeds the rate limit:

rate_limit.add_zone:
  zone: "exposed_password"
  key:
    - type: "ip"
rate_limit.check_zone:
  zone: "exposed_password"
  action:
    type: "challenge"
    status_code: 403

This configuration uses the client's IP as the key and presents a challenge with a 403 status code if the request exceeds the rate limit. This helps mitigate credential stuffing attacks.

Rate Limiting WAF Scanners

This example shows how to rate limit clients that are triggering a variety of WAF rules, which is indicative of a security scanner.

The filter matches any request that has triggered a WAF rule with a tag of "sql-injection" or "xss":

any(peakhour.waf.matched_rule.tags[*] == "sql-injection") or any(peakhour.waf.matched_rule.tags[*] == "xss")

The configuration adds the client to a waf_scanner zone and blocks them if they exceed a low threshold:

rate_limit.add_zone:
  zone: "waf_scanner"
  key:
    - type: "ip"
rate_limit.check_zone:
  zone: "waf_scanner"
  action:
    type: "block"
    status_code: 403

This configuration is effective at quickly stopping automated scanners that probe for multiple vulnerability types.

Use Cases

1. Implement stricter rate limits for requests that trigger WAF rules
2. Apply rate limiting to specific types of attacks detected by the WAF
3. Combine WAF results with other request properties for more granular rate limiting
4. Implement progressive rate limiting based on the severity of WAF detections