Rate Limiting Dashboard

Applies To:

HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.

HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.

ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.

WAF Essential (Legacy)WAF Essential (Legacy) provides basic protection against DDoS, application layer attacks, and volumetric attacks. Consider using WAF for a more robust solution.

This article explains the legacy version of WAF Essential that will undergo end-of-life on June 30, 2021. Our new version of WAF Essentials expands upon all of the capabilities offered by the legacy version of WAF Essential with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

The following information is only applicable for the WAF Essential product. This security offering provides limited Web Application Firewall and Rate Limiting functionality.

Use the Rate Limiting dashboard to analyze recently rate limited requests to:

Understand the severity of rate limited requests.
Identify the countries from which rate limited traffic originated.
Identify key individual offenders by their IP address.
View detailed information describing each rate limited request.

Logging for rate limited requests is downsampled due to the volume of requests that may occur during a single incident (e.g., volumetric Distributed Denial-of-Service attack).

This article describes:

Chart view
Event log view
Filters
Fields

Usage

The dashboard contains two different views through which rate limit analysis may be performed, which are:

Chart
Event log

To view the Rate Limiting Dashboard

Navigate to the chart view of the Rate Limiting Dashboard page. How?From the main menu, navigate to Defend | WAF Essential | Rate Limiting Dashboard.

The dashboard will display a chart showing recent violations of your security policy.
Optional. View event log data by clicking Event Logs from the side navigation bar.

Chart View

Chart view is a useful tool for detecting patterns for rate limited traffic directed to your origin servers. This view consists of a chart and statistics for a given time period.

Chart

A chart or line graph displays the number of rate limited requests over a given time period.

By default, a single line on the graph represents all rate limited traffic. Alternatively, categorize rate limited traffic by selecting the desired categorization criteria from the option that appears directly above the graph. A line will be drawn on the chart for each unique value. For example, if you select Top Action Types and rate limited requests were either dropped or redirected, then the graph will contain a line for REDIRECT-302 and another one for DROP-REQUEST.

Key information:

By default, the chart includes all rate limited requests within the last seven days.
- The chart may be filtered by the criteria listed directly below it. Additional filters are available when viewing an individual event from the event log.
- The time period being charted may be adjusted through the Time Range option. This option is displayed directly to the left of the chart.
Hovering over the line graph will indicate the number of rate limited requests that took place during that time slot.

Statistics

Statistics for rate limited traffic over a given time period are displayed directly below the chart. Statistics are broken down by category.

Each category may contain up to the top 10 entries.

View a brief description for each category.

The following information is displayed for each category:

Value: Groups rate limited traffic by a specific value.
Percentage (%): Indicates the percentage of rate limited traffic over a given time period for the current group.

Percentages are calculated from the total rate limited requests during the given time period. Since there is a limit of 10 entries per category, the sum of the percentages for categories containing more than 10 entries will not add up to 100%.
Events: Indicates the number of rate limited requests over a given time period for the current group.

Event Log View

This view provides the means to delve into the details of a rate limited request. The information derived from this view provides a deeper understanding as to why rate limiting was applied to the request.

The event log contains a list of recent rate limited requests. Each request is described as follows:

Enforced Rule: RuleIdentifies the rate limiting rule that was violated by its name. Elapsed TimeIndicates the amount of time that has passed since the request was screened. TimeIndicates the time (UTC) at which the request was screened.

Action Type: Action TypeRepresents the type of action that was applied to the rate limited request. The rate limiting action that will be applied to a request is determined by the rule that it violated.

A sample rule violation is provided below.

Enforced Rule: Marketing 10s ago 12:00:00.00 UTC

Action Type: CUSTOM-RESPONSE

Clicking on an event will expand that entry and display detailed information about it.

View a brief description for each event log entry field.

Key information:

Blue font indicates a value that may be used to filter the entire dashboard. Click on that value to filter events by it.
The icon appears next to each field that is currently filtering the dashboard.

Filters

Filters are applied to both the Chart and the Event Log views. Most fields support filtering.

The Event Log view contains the Request Method field. Although this field is not available from the Chart view, it may be used to filter both the Chart and Event Log views.

The Chart and the Event Log views cannot be filtered by the Timestamp field. Use the Time Range option instead. This option filters the dashboard for events that occurred during a relative time period from the present (e.g., Last 24 hours or Last 7 days).

Key information:

Most filters may be applied by simply clicking on the desired entry. After which, the icon will be displayed next to it. This icon indicates that the dashboard is being filtered by that entry.
- Chart: The values that may be used to filter the dashboard are displayed directly below the chart.
- Event Log: A filter may be applied to the event log by clicking on the desired field value when viewing detailed information on a particular rate limited request.
The Time Range option is different from other filters in that it is mandatory. Specify the relative time period from the present by which the chart and the event log will be filtered.
The list of active filters, including time, is displayed on the left-hand side of the dashboard.
Clear a filter by clicking on the icon displayed next to it.

Fields

A brief description for each field used to describe/categorize rate limited requests is provided below.

Field	Description
Client IP	Identifies the IP address (IPv4) of the client from which the request originated.
Country Name	Identifies the country from which the request originated.
Rate Limiting Action Type	Indicates the action (e.g., CUSTOM-RESPONSE) that was applied to the rate limited request.
Referer	Indicates the request’s referrer as defined by the Referer request header. A referrer identifies the address of the resource that linked to the requested content.
Request Method	Indicates the request's HTTP method. Format: HTTP_METHOD_NAME Example: HTTP_METHOD_GET
Rule Name	Indicates the name of the rule that was applied to the rate limited request.
Timestamp	Indicates the date and time (UTC) at which the request was rate limited. This field is only available from within the Event Log view. Requests may not be filtered by this field. Filter by time through the Time Range option that appears on the left-hand side of the dashboard. Local time is displayed on the right-hand side of the event log entry header that appears directly above this field.
URL	Indicates the URL of the request that was rate limited.
User Agent	Indicates the user agent that submitted the request that was rate limited. A request's user agent is defined in the User-Agent request header.