Rate limiting is a web application security technique that helps keep websites online and responsive when they’re inundated with a large volume of traffic.
Traditional rate limiting is a blunt instrument. If you’re under a DDoS attack from a botnet, or if a trusted web scraping service has overwhelmed your web app during peak hours, you can apply rate limiting to create an immediate fix. But it is only a temporary stopgap measure, because it will arbitrarily reduce all traffic to your site, whether it’s good or not.
Advanced rate limiting enables you to be more surgical. Maybe you want to apply rate limiting to an individual page, a single login form, or even a specific API that you know is under attack. In these cases, it does not negatively affect the good traffic trying to reach other parts of your site.
Advanced rate limiting is especially important for businesses that have multiple apps and sites under a single web application security policy. If you only have one form on one website that’s being attacked, and you apply traditional rate limiting, it can potentially have a negative effect on all the good traffic across the entire portfolio of sites. Advanced rate limiting provides the precision needed to avoid this issue.
Advanced rate limiting use cases
Some common types of attacks where bots can quickly overwhelm a site are carding, credential stuffing and credential cracking.
Carding is when an attacker has a database of stolen credit card information and uses a payment form on an e-commerce site to validate whether those cards are still active. Businesses can typically spot a carding attack when an increase in declined credit card transactions appears in their logs.
Credential stuffing is when an attacker has a database with known username and password combinations. The underlying thinking is that people use the same combination for different accounts, so attackers will test those combinations on other sites and mark down which work there as well. Then they’ll either resell that refined data for more money or launch further attacks on those user accounts, such as identity theft.
Credential cracking is a brute-force attack that also targets your login page, but it cycles through common password lists, dictionaries, and other sources in an attempt to guess a user’s password. Telltale signs of credential cracking include a high number of failed login attempts across certain user accounts and an increase in accounts being locked out.
Pros and cons of advanced rate limiting
In all of the above cases, the botnets performing these attacks can drive so many requests that they can overwhelm a website and create performance issues. Advanced rate limiting can help reduce this unwanted traffic in a more intelligent fashion. Still, it’s important to note that advanced rate limiting is only fully effective in stopping pure denial-of-service attacks, where an attacker is throwing garbage traffic at your site in an attempt to bring it down. In other scenarios, advanced rate limiting serves to keep your site up and running before more permanent mitigation efforts such as bot management kick in, to mitigate the underlying security threats related to these attacks.
Advanced rate limiting is also beneficial in other scenarios unrelated to web attacks. If you’re an e-commerce vendor, for example, you may see a huge increase in traffic around the holiday season or during peak hours of business. If you haven’t been able to provision additional resources to handle this traffic, you can use advanced rate limiting to reduce traffic from search engine bots and other non-mission-critical activity — freeing up your existing resources for the customers who want to do business on your site.
Advanced rate limiting is an intelligent control that you can apply to reduce the number of requests directed at a specific resource on your web application, such as a login form or API call. It helps ensure that excessive bot traffic, whether good or bad, will not negatively affect performance.