If your website is flooded by HTTP requests and its responses become sluggish as a result, you can enable the rate limiting feature. When rate limiting is enabled, Dynamic Route for CDN (DCDN) identifies IP addresses that send abnormal amounts of requests and limit the requests coming from the identified IP addresses. This improves website security.

Notice The rate limiting feature is suspended. We recommend that you use DCDN WAF (new edition).
This topic consists of the following sections:

Enable the rate limiting feature

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
  4. In the left-side navigation pane of the domain name, click Security Settings.
  5. Click the Rate Limiting tab.
  6. Turn on Rate Limiting.
  7. Click Modify.
  8. In the Rate Limiting dialog box, turn on Parameter Check and configure Limiting Mode.
    Configure rate limiting
    Parameter Description
    Parameter Check After Parameter Check is enabled, URIs retain all parameters and are matched against rate limiting rules. Parameter Check checks only URIs. Custom matching rules that are configured for the custom rate limiting mode do not apply to this feature.
    Note Parameter Check takes effect only in custom rate limiting rules.
    Limiting Mode You can select one of the following modes:
    • Normal

      The default rate limiting mode. Select this mode to reduce false positives if the network traffic of your website is within the expected range.

    • Emergency

      Select this mode if the response speed of your website is sluggish, and metrics such as network traffic, CPU usage, and memory usage are outside the normal range.

    • Custom

      Select this mode if you want to create custom rate limiting rules based on your business requirements. This mode detects requests frequently sent from IP addresses and helps mitigate HTTP flood attacks. For more information about how to add a custom rule, see Create a custom rate limiting rule.

Create a custom rate limiting rule

Notice
  • If you set Limiting Mode to Custom, you must create a custom rate limiting rule. Other limiting modes do not require custom rate limiting rules.
  • You can create a maximum of five custom rate limiting rules.
  1. Click Add Rule on the right side of Custom Rules.
  2. Follow the on-screen instructions to create a custom rate limiting rule. The following table describes the parameters that you can configure.
    Custom rule
    Parameter Description
    Cluster Name
    • The name must be 4 to 30 characters in length and can contain letters and digits.
    • The names of rules that are configured for the same domain name must be unique.
    URI Enter the URI that you want to protect, for example, /register. If the URI contains parameters, for example, /user?action=login, you must turn on Parameter Check.
    Match Mode You can select one of the following match modes. By default, match modes are listed and executed in the following order: exact match, prefix match, and fuzzy match. You can adjust the priorities of the match modes in a rate limiting rule. Then, the match modes are listed and executed based on their priorities.
    • Prefix Match

      In this mode, the rate of requests that originate from URIs start with the specified URI is monitored. For example, if the URI is set to /register, the rate of requests that originate from /register.html is monitored.

    • Exact Match

      In this mode, the rate of requests that originate from URIs that exactly match the specified URI is monitored.

    • Regex Match

      In this mode, the rate of requests whose request body match the specified regular expression is monitored.

    Monitored Object You can select one of the following objects that you want to monitor:
    • Client IP Address
    • Request Header
    • URL Parameter
    Interval Set a time period during which the rate of requests is monitored. This parameter takes effect only if you specify a monitored object. The interval must be greater than or equal to 10 seconds.
    Match Against Click Add Rule and set the following parameters: Type, Parameter, Relational Operator, and Value.
    Note The number of requests that match the specified rule is monitored on each DCDN node. It may take some time to trigger the rate liming rule. You can send more requests to the DCDN nodes to trigger the rule.
    Action Specify an action to be performed after the specified condition is triggered. You can select Block or CAPTCHA.
    • Block

      If this action is triggered, the HTTP 403 status code is returned to all requests.

    • CAPTCHA

      If this action is triggered, the HTTP 200 status code is returned and the request is redirected to a verification challenge. The request is allowed to access the requested resources only if it successfully completes the verification challenge.

      For example, if an IP address initiates more than five requests within 20 seconds, CAPTCHA is triggered. All requests from the IP address within the following 10 minutes are presented with a verification challenge. Requests from this IP address are allowed to access resources only if the requests pass the verification challenge.

    TTL Specify the time period that IP addresses remain blocked. The time period must be at least 60 seconds.
  3. Click OK.

Examples

The following table provides examples of how to create a custom rule.
Scenario Monitored object Interval Matching against Action TTL Expected result
4xx or 5xx errors IP 10 seconds "status_ratio|404">60%&&"count">50 Block 10 minutes If the percentage of the HTTP 404 status code among all HTTP status codes returned to an IP address reaches 60%, and at least 50 requests are coming from the IP address, the IP address is blocked for 10 minutes. All requests from the IP address receive the HTTP 403 status code.
Queries per second (QPS) errors Domain name 10 seconds "count">N
Note Specify a value for N based on your business requirements.
CAPTCHA 10 minutes If the number of requests that are sent to a domain name reaches the value of N, CAPTCHA is triggered. Within the next 10 minutes, all requests sent to the domain name are presented with a verification challenge. Requests are allowed to access the domain name only if the requests pass the verification challenge.