You can create rate limiting rules via Edge Security Acceleration (ESA) to limit the rate of requests that match specific conditions. For example, if an IP address visits your website at a high frequency within a specific period of time, you can create a rate limiting rule to specify a request rate limit, and enable slider CAPTCHA verification or add the IP address to the blacklist for a period of time when the configured limit is reached.
Create a rate limiting rule
The following procedure describes how to configure a rate limiting rule. The rule specifies that if 20 requests with the hostname www.example.com or image.example.com are coming from the same client IP address within 10 seconds, the system performs the slider CAPTCHA verification on this type of requests for 5 minutes. In this case, requests are responded only if the user passes the slider CAPTCHA verification. If the user fails the verification, requests are blocked.
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation tree, choose Security > WAF. On the page that appears, click the Rate Limiting Rules tab.
On the Rate Limiting Rules tab, click Create Rule.
Specify Rule Name.
If requests match...: filters requests by using the rule expression. For more information, see WAF. In this example, you can select Hostname for the match type field, select is in for the match operator field, and enter www.example.com and image.example.com in the match value field.
Apply to Cache: Rate limiting helps control the rate of client requests that match specific conditions and reduces the load on your origin server. Requests that hit the cache are directly served from ESA POPs, without burdening your origin server. If you do not want to apply the rate limiting rule to requests that hit the cache, clear this check box.
With the same characteristics...: filters the requests that meet the rule expression.
When the rate exceeds...: Specify the maximum number of requests allowed within the specified period of time.
Then execute...: Select the action that you want to execute when the request rate reaches the limit. You can execute the action only on requests that exceed the limit or on all requests that match the characteristics after the limit is exceeded.
In the preceding figure, all requests whose hostname is
www.example.comorimage.example.comare collected based on the source IP addresses, including requests that hit the cache and origin requests. The system performs the slider CAPTCHA verification on this type of requests if 20 or more requests are coming from the source IP address within 10 seconds.
Click OK.
Feature availability
Feature | Entrance | Pro | Premium | Enterprise |
Rate limiting rules | No | 2 | 5 | 100 |