How Does Rate Limiting for Custom Rules Work?
The administrator can configure rate limiting when adding or editing a rule chain from the Web Application Firewall > Rules page. When rate limiting is enabled for a new rule chain, the action for the rule chain is triggered only when the number of matches within a configured time period is above the configured threshold.
This type of protection is useful in preventing Brute Force and Dictionary attacks. An example rule chain with a Rule Chain ID of 15002 is available in the management interface for administrators to use as reference.
The associated fields are exposed when Enable Hit Counters is selected at the bottom of the New Rule Chain or Edit Rule Chain screens.
After a rule chain is matched, Web Application Firewall keeps an internal counter to track how many times the rule chain is matched. The Max Allowed Hits field contains the number of matches that must occur before the rule chain action is triggered. If the rule chain is not matched for the number of seconds configured in the Reset Hit Counter Period (seconds) field, then the counter is reset to zero.
Rate limiting can be enforced per remote IP address or per user session or both. Track Per Remote Address enables rate limiting based on the attacker’s remote IP address.
The Track Per Remote Address option uses the remote address as seen by the SMA appliance. In the case where the attack uses multiple clients from behind a firewall that is configured with NAT, the different clients effectively send packets with the same source IP address and is counted together.
Track Per Session enables rate limiting based on the attacker’s browser session. This method sets a cookie for each browser session. Tracking by user session is not as effective as tracking by remote IP if the attacker initiates a new user session for each attack.
Was This Article Helpful?
Help us to improve our support portal