Advanced Rate Limiting on Fastly’s Edge

Advanced Rate Limiting in Fastly’s Next-Gen WAF allows customers to protect against a wide spectrum of fraud and abuse, including credential stuffing, carding, and excessive scraping to name a few. Here’s an example of how to use it, but first another piece of big news…

Next-Gen WAF Premier can now be deployed on the Fastly Edge, allowing you to enforce more rate limiting decisions further upstream from your origins.

Advanced Rate Limiting vs. Edge Rate Limiting

Advanced Rate Limiting (ARL) protects you from enumeration style attacks where an attacker is probing your site over time for weaknesses or vulnerabilities. ARL can identify and block these attacks, and follow their patterns across different parts of your application using signals. Attacks like credential stuffing, carding, and excessive scraping can take place over longer periods of time, and with more subtle executions than you might see with a massive, brute force bot attack. 

Edge Rate Limiting (ERL) responds faster than Advanced Rate Limiting — within seconds — to protect you from spiky, fast-paced attacks that require immediate rate limiting responses to protect your site and preserve your performance and uptime. 

Advanced Rate Limiting Example

Many of our customers utilize advanced rate limiting to prevent enumeration attacks with a configuration like what is described here.

This type of rule can be easily applied using the Signal Sciences Terraform provider.

Below is an example of the Advanced Rate Limiting rule implemented via terraform.

#### Rate Limiting Enumeration Attempts - Start
resource "sigsci_site_signal_tag" "bad-response-signal" {
 site_short_name   = var.NGWAF_SITE
 name              = "bad-response"
 description       = "Identification of attacks from malicious IPs"




}




resource "sigsci_site_rule" "enumeration-attack-rule" {
 site_short_name = var.NGWAF_SITE
 type            = "rateLimit"
 group_operator  = "any"
 enabled         = true
 reason          = "Blocking IPs that have too many bad responses. Likely an enumeration attack."
 expiration      = ""




 conditions {
   type      = "single"
   field     = "responseCode"
   operator  = "like"
   value     = "4[0-9][0-9]"
 }
 conditions {
   type      = "single"
   field     = "responseCode"
   operator  = "like"
   value     = "5[0-9][0-9]"
 }
 # actions {
 #   type          = "blockSignal"
 #   signal        = "ALL-REQUESTS"
 #   response_code = 406
 # }




 actions {
   type = "logRequest"
   signal = sigsci_site_signal_tag.bad-response-signal.id
 }




 rate_limit = {
   threshold = 10,
   interval  =  1,
   duration  = 600,
   # clientIdentifiers = "ip" Defaults to IP
 }
 signal = sigsci_site_signal_tag.bad-response-signal.id




 depends_on = [
   sigsci_site_signal_tag.bad-response-signal,
 ]
}




#### Rate Limiting Enumeration Attempts - End

Additional Resources

Read our docs for edge deployment with the Fastly Next-Gen WAF.

Terraform users can check out our updated Signal Sciences Terraform provider, which now supports Next-Gen WAF edge deployments.

How to: Terraform Edge Deployment of Fastly’s Next-Gen WAF in less than 10 minutes!

Get started today

Contact Fastly to get started with protecting your applications from attackers using Fastly’s NGWAF.

Is your cybersecurity strategy too complex to succeed? Hear from over 1,400 IT decision makers.

Read the report
Brooks Cunningham
Senior Security Strategist
Published

1 min read

Want to continue the conversation?
Schedule time with an expert
Share this post
Brooks Cunningham
Senior Security Strategist

As a Senior Security Strategist at Fastly, Brooks focuses on helping customers deliver performant and secure experiences to their end users. He specializes in fraud and abuse use cases, such as account takeover, gift card stuffing, and inventory denial of service.

Ready to get started?

Get in touch or create an account.

Try Fastly FreeTalk to an expert
Fastly
© Fastly 2024