Rate Limiting Rules

Applies To:

HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.

HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.

ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.

WAF Essential (Legacy)WAF Essential (Legacy) provides basic protection against DDoS, application layer attacks, and volumetric attacks. Consider using WAF for a more robust solution.

This article explains the legacy version of WAF Essential that will undergo end-of-life on June 30, 2021. Our new version of WAF Essentials expands upon all of the capabilities offered by the legacy version of WAF Essential with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

The following information is only applicable for the WAF Essential product. This security offering provides limited Web Application Firewall and Rate Limiting functionality.

Setting up a rate limiting policy involves creating one or more rules. Each rule identifies a set of requests and how they will be rate limited. Information on rule configuration is provided below.

Category	Description
Source	A rate limit may be applied: Indiscriminately across all requests. To each unique client that exceeds the defined rate limit. A unique client may be identified by its user agent and/or IP address.
Scope	Identify the type of requests that are eligible for rate limiting by: Hostname URL path
Rate Limit	Define a maximum request rate before a predefined action is triggered.
Condition Group	Identify the type of requests that are eligible for rate limiting by URL path, request headers, IP address, file extension, and/or request method. A request will only count towards the rate limit when it satisfies the rule's scope. Additionally, if one or more condition group(s) have been defined, then the request must also satisfy all of the conditions defined within at least one condition group.
Action	Define the type of action that will be applied to requests that exceed the above rate limit.

Source

Rate limiting may be applied across all requests or to each unique client. Define this behavior from within the Apply rate limit to option. The available modes are described below.

Mode	Description
Any request	Indicates that all requests will count towards the rate limit. Once the specified rate limit is exceeded, it will be enforced without taking into consideration which client submitted the request. This mode is not recommended when there are malicious clients that are spoofing legitimate traffic. This type of configuration may potentially lead to a situation where spoofed traffic is honored while legitimate traffic is rate limited.
IP address	Indicates that the requests from each unique client, as determined by its IP address, will be tracked. The specified rate limit will only be enforced on the clients that exceed it.
IP address and user agent	Indicates that the requests from each unique client, as determined by each unique combination of IP address and user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). (e.g., web browser), will be tracked. The specified rate limit will only be enforced on the clients that exceed it. All requests from a specific IP address that contain a blank or missing User-Agent header will be treated as a single client.

Mode

Description

Any request

Indicates that all requests will count towards the rate limit. Once the specified rate limit is exceeded, it will be enforced without taking into consideration which client submitted the request.

This mode is not recommended when there are malicious clients that are spoofing legitimate traffic. This type of configuration may potentially lead to a situation where spoofed traffic is honored while legitimate traffic is rate limited.

IP address

Indicates that the requests from each unique client, as determined by its IP address, will be tracked. The specified rate limit will only be enforced on the clients that exceed it.

IP address and user agent

Indicates that the requests from each unique client, as determined by each unique combination of IP address and user agentRefers to software that acts on behalf of a user. For example, a web browser (e.g., FireFox, Chrome, and Internet Explorer) is a user agent. A web browser will make HTTP/HTTPS requests based on user actions (e.g., requesting a web site or clicking a link). (e.g., web browser), will be tracked. The specified rate limit will only be enforced on the clients that exceed it.

All requests from a specific IP address that contain a blank or missing User-Agent header will be treated as a single client.

Scope

Identify the type of requests that are eligible for rate limiting using the criteria described below.

Define a scope to quickly identify the type of requests that are eligible for rate limiting. Use condition groups to further define the type of requests that will be tracked for the purposes of rate limiting.

By default, a scope condition will only be satisfied when an exact match is found. Enable the Negative match option to configure a scope condition to look for requests that do not match the specified value.

Type	Description
Hostname	Determines whether this rate limit will be applied to all or specific hostnames. For the purpose of defining a rate limiting scope, the hostname associated with a request is determined by the request's Host header. Select one of the following modes: Default: This mode does not restrict rate limiting by hostname. Exact match (multiple entries): Applies the rate limit to the specified hostname(s). Learn more. Regex match: Applies the rate limit to all hostnames that satisfy the specified regular expression pattern. Learn more. Wildcard match: Applies the rate limit to all hostnames that satisfy the specified wildcard pattern. Learn more. Additional restrictions by hostname may be defined through condition groups. Those hostname restrictions are applicable regardless of the selected mode. Learn more.
URL path	Determines whether this rate limit will be restricted to requests that match the specified URL path pattern. For the purposes of this option, specify a URL path pattern that starts directly after the hostname. Do not include a protocol or a hostname. Sample values: /marketing /800001/mycustomerorigin Select one of the following modes: Default: This mode does not restrict rate limiting by URL path. Exact match (multiple entries): Applies the rate limit to the specified URL path(s). Learn more. Regex match: Applies the rate limit to all URL paths that satisfy the specified regular expression pattern. Learn more. Wildcard match: Applies the rate limit to all URL paths that satisfy the specified wildcard pattern. Learn more. Additional restrictions by URL path may be defined through condition groups. Those URL path restrictions are applicable regardless of the selected mode. Learn more.

Type

Description

Hostname

Determines whether this rate limit will be applied to all or specific hostnames.

For the purpose of defining a rate limiting scope, the hostname associated with a request is determined by the request's Host header.

Select one of the following modes:

Default: This mode does not restrict rate limiting by hostname.
Exact match (multiple entries): Applies the rate limit to the specified hostname(s).

Learn more.
Regex match: Applies the rate limit to all hostnames that satisfy the specified regular expression pattern.

Learn more.
Wildcard match: Applies the rate limit to all hostnames that satisfy the specified wildcard pattern.

Learn more.

Additional restrictions by hostname may be defined through condition groups. Those hostname restrictions are applicable regardless of the selected mode.
Learn more.

URL path

Determines whether this rate limit will be restricted to requests that match the specified URL path pattern.

For the purposes of this option, specify a URL path pattern that starts directly after the hostname. Do not include a protocol or a hostname.
Sample values:
/marketing
/800001/mycustomerorigin

Select one of the following modes:

Default: This mode does not restrict rate limiting by URL path.
Exact match (multiple entries): Applies the rate limit to the specified URL path(s).

Learn more.
Regex match: Applies the rate limit to all URL paths that satisfy the specified regular expression pattern.

Learn more.
Wildcard match: Applies the rate limit to all URL paths that satisfy the specified wildcard pattern.

Learn more.

Additional restrictions by URL path may be defined through condition groups. Those URL path restrictions are applicable regardless of the selected mode.
Learn more.

Rate Limit

The maximum rate at which requests will be honored before a predefined action is applied to it is known as the rate limit. A rate limit defines the number of requests over a given time period (e.g., 5 seconds, 10 seconds, or 1 minute). Define the desired rate limit via the Rate limit option.

Key information:

The source that will be rate limited should be taken into account when defining a rate limit.

A rate limit that applies across all requests should be significantly larger than a rate limit that applies to unique clients.
The specified rate limit is enforced on each edge server based on the number of requests that it receives.
- Typically, a single edge server will handle all requests directed to a POP for a specific URL.
  
  If the volume of requests to the above edge server exceeds capacity, then requests will be load balanced to an additional edge server.
  
  Example
  
  All requests within the Los Angeles area for the following image will be handled by a single edge server in a Los Angeles POP (e.g., OXR):
  
  https://cdn.mydomain.com/marketing/logo.png
- If rate limiting is being applied to unique clients, then it is important to note that requests from a single client may be load balanced to different edge servers based on the requested URL.
  
  Example
  
  A request for a web page may result in 50 subsequent requests for its supporting files (e.g., CSS, JS, and images). Although a single client is requesting all 50 of these assets, these requests may be load balanced across anywhere from 1 to 50 different edge servers in a single POP.

Condition Group

A condition group defines one or more prerequisites that must be met before a request will count towards the rate limit.

A request will only count towards the rate limit when it satisfies the rule's scope. Additionally, if one or more condition group(s) have been defined, then the request must also satisfy all of the conditions defined within at least one condition group.
Learn more about scopes.

The types of prerequisites that may be defined are described below.

Type	Description
File extension	A request will count towards the rate limit when the filename of the requested content contains a file extension that matches a value defined in the Value(s) option. Syntax: .FileExtension Example: .htm
IP address	A request will count towards the rate limit when its IP address matches a value defined in the Value(s) option. Make sure to use standard IPv4 and CIDR notation. Specify a subnet by appending a slash (/) and the desired bit-length of the prefix (e.g., 11.22.33.0/22).
Request header	A request will count towards the rate limit when the value corresponding the specified request header is an exact case-sensitive match for the one defined in the Value(s) option. This condition supports the following request headers: Host User-Agent Referer Host A request will count towards the rate limit when its Host header matches the specified hostname or IP address. Syntax: Host Host:Port Key information: The entire Host header value will be compared against the specified value. The CDN only accepts HTTP/HTTPS requests on standard ports (i.e., 80 and 443). Typically, a Host request header does not include port information for standard ports. However, the requesting user agent defines the Host request header submitted to the CDN. For the purpose of this comparison, the hostname defined by this match condition will not be resolved to an IP address. For the purpose of this comparison, a customer origin's HTTP Host Header option is irrelevant. User-Agent A request will count towards the rate limit when its User-Agent header matches the specified user agent. The request's user agent must be an exact match to the specified value. User agent strings typically vary by type and version. Match for requests with a blank or missing User-Agent header by specifying a blank value. Referer A request will count towards the rate limit when its Referer header matches the specified referrer. The request's referrer must be an exact match to the specified value.
Request method	A request will count towards the rate limit when the request's HTTP method matches a value defined in the Value(s) option. Valid values are: GET POST PUT HEAD DELETE OPTIONS
Request URL path	A request will count towards the rate limit when its request URL contains a relative path that matches a value defined in the Value(s) option. For the purposes of this option, specify a URL path pattern that starts directly after the hostname. Do not include a protocol or a hostname. Sample values: /marketing /800001/mycustomerorigin This type of match condition requires a Host condition within the same condition group. Syntax: /path/asset Example: /marketing/brochures/widget.htm A partial match does not count towards the rate limit. For example, given the above sample configuration, the following request would not count towards the rate limit: http://cdn.mydomain.com/marketing/brochures/widget.html.

Key information:

Multiple conditions may be defined within a single condition group.
Multiple condition groups may be created.
All conditions are case-sensitive.
A request will count towards the rate limit when it satisfies either of the following:
- No Condition Groups: If the rule does not contain a condition group, then all requests that satisfy the rule's scope conditions are eligible for rate limiting.
- 1 or More Condition Groups: A request must satisfy the rule's scope conditions and meet all match conditions defined in at least one condition group.
Each condition must contain a value through which requests will be identified.
- Regular expressions or wildcards may not be used to identify requests.
- Blank values are not allowed.
- Specify each desired value on its own separate line.

Keep in mind the following limitations when setting up a rate limiting policy:

Type	Limit
Rules	20Please contact Customer Support to increase this limit.
Condition Groups per Rule	5
Conditions per Condition Group	5
# of Values per ConditionThis limit only applies when the Type option for a condition is set to "Multiple Match."	IP Address: 200 All Other Conditions: 100

Learn how to set up a condition group.

Action

An action defines how rate limiting is enforced upon requests and the duration for which this enforcement will be applied to each client.

Requests that originate from rate limited clients will not count towards the rate limit. Upon the expiration of the time period defined in the Duration option, we will resume counting these requests. If the client exceeds the rate limit again, then this action will be reapplied to it for the duration defined by this option.

A "client" is defined by each rule according to the Apply rate limit to option. For example, configuring that option to "Any request" will apply the selected action to all requests regardless of the number of requests generated by each device. Alternatively, identifying clients by "IP address" will only apply the selected action to requests that originate from each IP address that violates the specified rate limit.

The available types of actions are described below.

Name	Description
Redirect (302 Found)	Rate limited requests will be redirected to the specified URL. Key information: The HTTP status code for this response will be a 302 Found. Set the URL option to the URL to which rate limited requests will be redirected. Make sure to specify a full URL. Example: http://cdn.mydomain.com/marketing/busy.html
Custom response	Rate limited requests will receive the response defined under this option. Configure the following settings: Response body: Defines the payload that will be delivered to the client in response to a rate limited request. For example, the payload of a CSS file might look something like: body { background-color: #ffffff; } HTTP status code: Defines the HTTP status code that will be sent to the client. Either select or type the desired status code. Custom response headers: Defines one or more response headers that will be sent to the client. Define each custom response header on a separate line. Format: Name:Value Example: MyCustomHeader:True
Drop request	Rate limited requests will be dropped and the client will receive the following response: HTTP status code: 503 Service Unavailable Response header: Retry-After: 10 seconds The Retry-After response header provides a hint to the client as to when service may resume.
Alert only	Rate limited requests will only generate an alert. Use this mode to track rate limited requests through the dashboard without affecting traffic.

Rate Limiting Rules

Source

Scope

Rate Limit

Condition Group

Host

User-Agent

Referer

Action