Advanced Rate Limiting on Fastly’s Edge
Advanced Rate Limiting in Fastly’s Next-Gen WAF allows customers to protect against a wide spectrum of fraud and abuse, including credential stuffing, carding, and excessive scraping to name a few. Here’s an example of how to use it, but first another piece of big news…
Next-Gen WAF Premier can now be deployed on the Fastly Edge, allowing you to enforce more rate limiting decisions further upstream from your origins.
Advanced Rate Limiting vs. Edge Rate Limiting
Advanced Rate Limiting (ARL) protects you from enumeration style attacks where an attacker is probing your site over time for weaknesses or vulnerabilities. ARL can identify and block these attacks, and follow their patterns across different parts of your application using signals. Attacks like credential stuffing, carding, and excessive scraping can take place over longer periods of time, and with more subtle executions than you might see with a massive, brute force bot attack.
Edge Rate Limiting (ERL) responds faster than Advanced Rate Limiting — within seconds — to protect you from spiky, fast-paced attacks that require immediate rate limiting responses to protect your site and preserve your performance and uptime.
Advanced Rate Limiting Example
Many of our customers utilize advanced rate limiting to prevent enumeration attacks with a configuration like what is described here.
This type of rule can be easily applied using the Signal Sciences Terraform provider.
Below is an example of the Advanced Rate Limiting rule implemented via terraform.
#### Rate Limiting Enumeration Attempts - Start
resource "sigsci_site_signal_tag" "bad-response-signal" {
site_short_name = var.NGWAF_SITE
name = "bad-response"
description = "Identification of attacks from malicious IPs"
}
resource "sigsci_site_rule" "enumeration-attack-rule" {
site_short_name = var.NGWAF_SITE
type = "rateLimit"
group_operator = "any"
enabled = true
reason = "Blocking IPs that have too many bad responses. Likely an enumeration attack."
expiration = ""
conditions {
type = "single"
field = "responseCode"
operator = "like"
value = "4[0-9][0-9]"
}
conditions {
type = "single"
field = "responseCode"
operator = "like"
value = "5[0-9][0-9]"
}
# actions {
# type = "blockSignal"
# signal = "ALL-REQUESTS"
# response_code = 406
# }
actions {
type = "logRequest"
signal = sigsci_site_signal_tag.bad-response-signal.id
}
rate_limit = {
threshold = 10,
interval = 1,
duration = 600,
# clientIdentifiers = "ip" Defaults to IP
}
signal = sigsci_site_signal_tag.bad-response-signal.id
depends_on = [
sigsci_site_signal_tag.bad-response-signal,
]
}
#### Rate Limiting Enumeration Attempts - End
Additional Resources
Read our docs for edge deployment with the Fastly Next-Gen WAF.
Terraform users can check out our updated Signal Sciences Terraform provider, which now supports Next-Gen WAF edge deployments.
How to: Terraform Edge Deployment of Fastly’s Next-Gen WAF in less than 10 minutes!
Get started today
Contact Fastly to get started with protecting your applications from attackers using Fastly’s NGWAF.
Is your cybersecurity strategy too complex to succeed? Hear from over 1,400 IT decision makers.