Announcing HTTP Rate Limiting 2.0
By Reed Morrison, Software Developer and Richard Yew, Principal Product Manager — Security Solutions
Security threats are an ongoing challenge for any website owner. Sites that were secure yesterday, can be vulnerable today. Proof of this is the proliferation of hackers leveraging bots to gain insights into application vulnerabilities or to crash your site completely (such as DDoS attacks), which can severely damage your business and reputation.
To help you fend off hackers and bots, while improving the security and performance of your websites, Verizon Digital Media Services is excited to announce an update to our HTTP Rate Limiting product, effective July 30, 2018.
HTTP Rate Limiting 2.0 is available as a stand-alone service, but when combined with our Web Application Firewall (WAF), you get increased website control, protection and performance.
Here are the benefits of Rate Limiting 2.0:
- Revised user interface: A more intuitive user experience, making it easier for you to use.
- Faster propagation: Configuration changes take effect in less than 60 seconds, helping you respond to attacks even faster.
- New penalty box: This feature protects you against individual clients violating rate limiting rules by placing clients in a penalty box for 10 seconds, 60 seconds, or 5 minutes, freeing your resources to handle the needs of legitimate traffic.
- Improved targeting: New filtering fields: Hostname and path of URL — with both supporting wildcard or regex. You can now configure different rates for different pages, giving you more control.
- Request method handling: Rate limiting is now based on HTTP request methods (e.g., GET, HEAD, DELETE, POST, OPTIONS, PUT), further refining control. For example: You can now easily combine request protocol with other limiting methods to protect API endpoints.
- Flexible intervals: We’ve added additional rate limiting sampling windows of 1, 5, 10, 30, 60, 120, 300 seconds. Giving you more flexibility and control to reduce false positives.
Figure 1: HTTP Rate Limiting Dashboard (chart view)
As seen in the figure above, events triggered by rules currently in place can easily be seen in the home page of the HTTP Rate Limiting Dashboard. You can drill down further by clicking Rule Name and Referrer as shown at the bottom of figure 1 above.
Figure 2: HTTP Rate Limiting Dashboard (event log view)
In figure 2, specific events can be examined in greater detail. As shown above, we see that “test_rule-5–1” was triggered from the Client IP “220.127.116.11.” It appears that the User Agent was “ryew-monkey-20180521,” and the Rate Limiting Action taken was a “CUSTOM-RESPONSE.” Please note: This screenshot is an expanded view of a single enforced rule. Additional rules are shown in collapsed view. You can quickly scroll through the events based on timestamp to isolate a specific rule.
Figure 3: Rate Limiting Rules (in lock mode)
To ensure that rules are not accidentally updated, they are locked by default. Unlocking the rules is easily done by enabling the Edit Rate Limiting Rules toggle in the upper right, as seen in figure 3.
Figure 4: Rate Limiting Rules (unlocked)
As shown in figure 4, the Edit Rate Limiting Rules toggle has been turned on to enable editing.
Figure 5: Adding new rule (adding details)
Upon clicking the Add Rule button in figure 4, you are presented with the Details page. Here, you can specify all the details particular to the rate limiting rule you wish to enforce. Wildcards and regex are supported for both Hostname and URL path(s). Once your rules criteria have been entered, you can click the “Add Rule” button shown at the bottom of figure 5 to save.
Figure 6: Adding new rule (specifying action type)
Once you’ve completed the Details page, you will then select the Action Type, as shown at the top right of figure 6. You will be able to specify how to handle the request when it is triggered by the rate limiting rule. In the Response body field shown in figure 6, you see the custom response, “You’ve been blocked.” We’re configuring this rule to issue a 403 HTTP status code along with a Custom response headers.
Security threats are always evolving, looking for new ways to damage your website. Verizon Digital Media Services is committed to staying ahead of threats to keep your brand safe. HTTP Rate Limiting 2.0 is just the latest in our ongoing security efforts, part of our layered defense approach designed to keep your website operating with confidence.
If you have any questions or need additional information on HTTP Rate Limiting 2.0, please contact your account manager.
To stay up-to-date on all our product updates and releases, please visit our website or contact us.