Though rate limiting is primarily done outside WAF, owing to specific customer requirements, it is also included as part of WAF. The following topic explains Rate Limiting with respect to WAF.

Use Case for WAF Rate Limiting

The main use case addressed as part of Rate Limiting in WAF is to limit the calls to the /login action to 10 requests per minute per IP.

To address this need, the @ratelimit operator is implemented as an extension within the rule language.

The operator @ratelimit accepts 3 arguments (macros not supported).

  • requests - (number)

  • time unit - (number) + (time unit (s, m, h))

  • burst size - (optional number)

The rate limiter is uniquely identifiable by virtual service and rule-id. So every rule gets its own rate limiter. The rate limiter key is the match_element_name and the match_element_value.

The current use case is to limit the number of POST requests to /login to 10 requests per minute per IP. An example rule can be as follows.

SecRule REQUEST_METHOD "^POST$" "id:42,phase:1,t:none,block,chain"
    SecRule REQUEST_URI "@contains /login" "t:none,chain"
       SecRule REMOTE_ADDR "@rateLimit 10 1m"

The following is the explanation of the rule.

  • If the request is a POST request

    • AND the URI contains /login

      • For every IP (REMOTE_ADDR), limit the number of request to 10 per 1m (1 minute).

      • If this limit is exceeded, block the request.