If the response time of your website is increased due to HTTP flood attacks, you can use the rate limiting feature of Dynamic Route for CDN (DCDN) to block specific requests that are sent to your website. This feature can be used to block requests within seconds and improve website security. This topic describes how to configure rate limiting.

Note To use this feature, purchase Secure DCDN and submit a ticket.

You can set the following parameters. The parameters take effect for all rules.

Parameter Description
Parameter Check

Select Yes or No.

When the system attempts to match a request with a rate limiting rule, the system first attempts to match the Uniform Resource Identifier (URI) of the request. After the parameter check feature is enabled, the rate limiting feature compares the specified URIs with all parameters retained with requests. The parameter check feature checks only URIs. Custom match rules that are set for the custom rate limiting mode do not apply to this feature.

Control Mode You can select one of the following modes:
  • Normal

    The default rate limiting mode. Select this mode to prevent false positives if the network traffic of your website is within the expected range.

  • Emergency

    Select this mode if your website responds slowly and exceptions are detected in network traffic, CPU usage, memory usage, or other performance indicators.

  • Custom

    Select this mode if you want to customize rate limiting rules based on your business requirements. This mode does not provide default rules. You must set custom rules based on your business requirements.

Follow the instructions to create a custom rule. The following table describes the parameters.

Parameter Description
Rule Name The name must be 4 to 30 characters in length, and can contain letters and digits. The names of rules that are set for the same accelerated domain name must be unique.
URI Enter the URI that you want to protect, for example, /register. You can include parameters in the URI. You must also enable the parameter check feature if you want to apply the rule to the entire URI, including the parameters. Example: /user?action=login.
Matching Mode You can select one of the following match rules. The rate limiting rule applies the match rules in the following order: exact match, prefix match, and fuzzy match. You can adjust the priorities of the match rules in a rate limiting rule. The match rules are listed and executed based on their priorities.
  • Exact Match

    In this mode, requests are counted only if the request URI exactly matches the specified URI.

  • Prefix Match

    In this mode, requests are counted if the request URI starts with the specified URI. For example, if the URI is set to /register, all requests that are sent to /register.html are counted.

  • Fuzzy Match

    In this mode, requests are counted if the request URI matches the specified regular expression. Regular expressions support only periods (.) andasterisks (*). A period (.) specifies thatthe rate limiting rule is compared with each individual character. An asterisk (*) specifies that the rate limiting rule considers the request a match if a character matches the specified regular expression.

Interval Set a time period during which request statistics are collected. This parameter takes effect only if you specify a check object. The time period must be from 10 seconds to 600 seconds.
Check and Block Object You can select one of the following types of objects:
  • Source IP
  • Header
  • Domain
  • URL Parameter
Matching Rule You can click Add Rule and set the following parameters: Type, Option, Operator, and Value.
Action Specify an action to be performed after a request matches the specified match rule. Then, specify the period of time that the source IP address remains blocked if the Action parameter is set to Block.
  • Block

    If this action is triggered, an HTTP 403 is returned to the request.

  • Bot Detection

    If this action is triggered, an HTTP 200 is returned to the request and the request is redirected for verification. If the request passes the verification, it is allowed to access the requested resources. For example, if an IP address initiates requests more than five times within 20 seconds, human-machine identification is triggered. All requests from the IP address within the next 10 minutes are verified. Requests from this IP address are allowed to access resources only if the IP address passes human-machine identification.

TTL Specify how long IP addresses remain blocked. The time period must be at least 60 seconds.
The following table lists some sample custom rules.
Scenario Check object Interval Matching rule Action TTL
4xx or 5xx errors IP 10 seconds "status_ratio|404">60%&&"count">50 Block 10 minutes
Anomalies of queries per second (QPS) Domains 10 seconds "count">N Human-machine identification 10 minutes