Request Rate Shaping

This chapter explains what Request Rate Shaping is, and how to configure the Traffic Manager to rate-limit requests to your applications.

Request Rate Shaping is not available on all Traffic Manager variants. If required, it can be obtained via a software or license key upgrade.

What Is Request Rate Shaping?

Individual users may dominate the use of a service, to the detriment of other users of the service. A back-end application infrastructure may have limited scalability, being easily overwhelmed when too many requests are given to it. You may wish to restrict the rate at which certain activities can occur, such as sending an email, or logging in to a service, as part of a wider security policy.

Request Rate Shaping allows you to specify limits on a wide range of events, with very fine grained control over how events are identified. You can impose per-second and per-minute rates on these events.

For example:

•You can rate-shape individual web spiders, to stop them overwhelming your web site. Each web spider, from each remote IP address, can be given maximum request rates.

•You can throttle individual SMTP connections, or groups of connections from the same client, so that each connection is limited to a maximum number of sent emails per minute.

•You may also rate-shape new SMTP connections, so that a remote client can only establish new connections at a particular rate.

•You can apply a global rate shape to the number of connections per second that are forwarded to an application.

•You can identify individual user’s attempts to log in to a service, and then impede any dictionary-based login attacks by restricting each user to a limited number of attempts per minute.

Request Rate Limits are imposed using the TrafficScript rate.use() function:

•A virtual server accepts incoming traffic.

•A request rule is run by the virtual server.

•The request rule applies the rate shaping, using the TrafficScript rate.use() function.

Request Rate Limits are most commonly used in TrafficScript request rules, to shape the rate at which requests are processed. They may be used in response rules if desired, and they can be used to restrict other events, but this is not a common requirement.