What is it ?

DOS and DDOS attacks, aggressive scraping, scamming, scanning... cannot always be stopped or moderated on the basis of simple request rate limiting rules. More and more frequently, these attacks are based on low-rate request flows that are difficult to detect.

Smart Rate Limiting Drives are designed to detect these low-profile attacks.

 

How does it work ?

To achieve this, each user's request profile is analyzed in real time and compared with the site's reference profile. When the difference is too great, the user is banned for a short, random period of time.

The query profile takes into account several aspects of the query flow:

  • erroneous requests based on the origin response (HTTP status code 4XX, 5XX)
  • origin response time (used to evaluate the weight of a request for the origin infrastructure).
  • Other suspicious request characteristics

 

How do I configure these drives?

The parameters of these drives are available in the "Expert" tab of the site configuration (Expert Mode must be enabled).

Smart Rate Limiting drives are prefixed with the SRL in the "General settings, API protection & Smart Rate Limiting (SRL)" section.

Parameter definition:

  1. Sensitivity: Degree of drive severity to be set between 0.00= "Detect without impact" and 1.0 = "paranoid".
  2. Trigger threshold: Number of IP requests in the last 60 seconds above which the drive can be triggered.
  3. Impact Min/Max: Level of divergence considered an anomaly. min=5 and max=25 means: Impact credibility from 5 times baseline and maximum impact from 25 times baseline.
  4. Min. rate: Minimum error rate generated by the IP observed in the last 60 seconds allowing the drive to be executed.
  5. Coefficient : Value of the ratio between the error rate generated by the IP observed in the last 60 seconds and the average error rate observed on the site for which the IP's credibility is impacted.
  6. Consumed time: Cumulative server response time generated by IP requests over 10s considered unacceptable. For example: 100,000 means that it is not acceptable to "consume" more than 10s of response time per second on average over 10s.
  7. Number of requests: Maximum number of requests per 10s considered unacceptable.