Back to blog

Follow and Subscribe

Announcing Rate Limiting Expansion for Next-Gen WAF

Daniel Corbett

Staff Product Manager , Fastly

Today we’re excited to announce an expansion of advanced rate limiting rules, increased blocking durations, and removal of limitations on non-IP client identifiers. We’re also opening up our edge rate limiting to customers on our Professional security package. Fastly offers rate limiting in a few different places to thwart abusive traffic as well as high rate DDoS attacks.

Thwarting Abusive Traffic

Rate limiting is a method of limiting network traffic to help protect your websites, APIs, and general infrastructure from being overloaded. Typically it’s used to mitigate abuse or misuse but it can also be used to lessen the impact of a misconfigured client. Alternatively, rate limiting can be used as a tool to protect components of your site that are fragile or incapable of handling a sudden influx of traffic.

We’ve heard your feedback on wanting more rate limiting rules along with flexible client identifiers to allow for pinpoint accuracy when it comes to identifying malicious users. We know you also require granular control over blocking durations for each microservice within your web application.

Starting today, for Premier package customers, we have bumped up the number of rate limit rules from 10 to 15, and removed the restriction on non-IP client identifiers. We are also providing further flexibility regarding rate-limiting durations by allowing you to rate limit attackers for up to 24 hours. The extended block time helps in cases where attackers keep using the same attack tooling for extended periods of time.

Stopping High-rate DDoS at the Edge

Advanced rate limit rules in the Fastly Nex-Gen WAF provide protection based on signals, but sometimes you need to stop excessive traffic bursts farther from your application. These so-called “cache-busting” attacks skip the inherent protection offered by Fastly’s caching layer and can overwhelm back-end applications - taking your entire service or API offline. For these types of attacks, Fastly offers edge rate limiting which is now available for Professional package customers who also utilize Fastly Delivery. Edge rate limiting offers fast time to detection (TTD) – as fast as one second – to help put the brakes on high rate traffic bursts.

Finally, customers in both the Professional and Premier packages now have access to 200 signals per site as well as per corp.

Next steps

If you are currently a Fastly Next-Gen WAF customer, you have access to the above-mentioned improvements within your security package tier today. If you’re not a customer, reach out to us to see how our rate limiting capabilities can stop abusive traffic from impacting your sites and APIs.