How Does It Work?

This article explains the legacy version of Rate Limiting that will undergo end-of-life on June 30, 2021. Our new version of WAF expands upon all of the capabilities offered by WAF and Rate Limiting with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

Rate Limiting restricts the rate of traffic that may be directed to one or more web sites. HTTP/HTTPS requests that exceed a rate limiting policy will not be honored.

Key information:

Scenario 1: Rate Limiting All Requests

This scenario assumes:

The rate limiting policy for this scenario is defined below.

Policy Setting Value

Source

Any request

This type of source applies a rate limit to all requests without taking into account the client that submitted each request.

Scope

Default (Match all hostnames and URL paths)

Rate

300 requests per minute

In the above scenario, the CDN received 1200 requests per minute for the following three files:

The CDN handled the above requests in the following manner:

Scenario 2: Rate Limiting Unique Clients

This scenario assumes:

A rate limiting policy may be applied to each unique client. The rate limiting policy for this scenario is defined below.

Policy Setting Value

Source

IP address

This type of source applies a rate limit to all requests from unique IP addresses.

Scope

Default (Match all hostnames and URL paths)

Rate

50 requests per minute

The following diagram illustrates how this rate limiting policy controls the total number of requests that may flow through our network.

In this scenario, only requests originating from one of the clients will be rate limited. Specifically, only that client's requests for Index.html and Styles.css will be rate limited. All other requests will be honored, since they don't exceed the defined rate limit (i.e., 50 requests per minute).

Aggregate traffic is not taken into account when rate limiting unique clients. For example, this rate limiting policy would not be enforced on 2,000 clients if they only issued 5 requests per minute. Although aggregate traffic exceeded the rate limiting policy, no single client exceeded 50 requests per minute.

Scenario 3: Multiple Rate Limiting Policies (Rules)

This scenario assumes:

A Rate Limiting configuration may contain multiple rate limiting policies (i.e., rules) that define a custom rate limit for different types of requests. Rate Limiting will process these rules in the order in which they are listed. Once a rule is satisfied, it will be applied to the request and no additional rules will be processed.

It is recommended to order rules according to how they identify requests. Stricter rules that identify requests using multiple conditions should be placed closer to the top of the list, while catch-all rules should be placed closer to the bottom. This ensures that rules are applied to requests as intended.

The rate limiting policy for this scenario is defined below.

# Rate Limiting Policy (Rule)
1

Source: IP address

Scope: Default (Match all hostnames and URL paths)

Rate Limit: 200 requests per minute

Match Conditions: Host = cdn.mydomain.com & Request URL = /sales/index.htm

Action: Redirect (HTTP 302)

2

Source: IP address

Scope: Default (Match all hostnames and URL paths)

Rate Limit: 200 requests per minute

Match Condition: Host = cdn.mydomain.com

Action: Drop request

3

Source: Any request

Scope: Default (Match all hostnames and URL paths)

Rate Limit: 500 requests per minute

Match Condition: None

Action: Redirect (HTTP 302)

This sample scenario examines how the following requests will be affected by Rate Limiting.

Although the majority of the following requests satisfy multiple rules, only the first rule that a request violates will be applied to it.

Request Rule

Description

Client: 100.10.20.33

Request rate: 350 per minute

Request URL:

http://cdn.mydomain.com/sales/index.htm

1

Action:

Approximately 200 requests will be honored, while approximately 150 requests will be redirected.

Why?

All of these requests satisfy the first rule. As a result, the subsequent rules (i.e., second and third rules) are skipped.

Client: 101.10.20.44

Request rate: 300 per minute

Request URL:

http://cdn.mydomain.com/marketing/index.htm

2

Action:

Approximately 200 requests will be honored, while approximately 100 requests will be dropped.

Why?

These requests do not meet the conditions defined for the first rule. However, they do satisfy the second rule. As a result, the subsequent rule (i.e., third rule) is skipped.

Client: 102.10.20.55

Request rate: 250 per minute

Request URL:

http://cdn.mydomain.com/sales/index.htm

1

Action:

Approximately 200 requests will be honored, while approximately 50 requests will be redirected.

Why?

All of these requests satisfy the first rule. As a result, the subsequent rules (i.e., second and third rules) are skipped.

Client: 102.10.20.55

Request rate: 450 per minute

Request URL:

http://cdn2.mydomain.com/sales/index.htm

3

Action:

All 450 requests will be honored.

Why?

These requests do not meet the conditions defined for the first or second rule. However, the third rule is applicable, since it is a catch-all rule that applies to all requests.

Although the total number of requests from all clients exceeds 500 requests per minute, only the 450 requests submitted by this client are eligible for rate limiting by the third rule. Therefore, the rate limit defined in the third rule is not being exceeded.

Notice that a different rate limiting policy is applied to these requests, even though they originate from the same client (i.e., 102.10.20.55).