Limit Requests Per Second Handler

Purpose

The Limit Requests Per Second Handler limits the maximum number of requests to be processed per time unit.

In the process, vWAF uses a token bucket procedure (see Glossary). If the permitted contingent of pending requests is exceeded, vWAF denies further requests with HTTP error code 503 (Service Unavailable) until more tokens are available.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Should only be used in special cases and path-specific, e.g. for queries that are particularly demanding in terms of computing power.

Attributes

Attribute Meaning

requests per second

Maximum average number of requests permissible per second that can be processed by your web application.

Note that this information only relates to the IP address ranges under limit per client ip4 range and the IP address ranges under limit per client ip6 range, as well as to the path for which you configure the Limit Requests Per Second Handler.

You can also specify decimal fractions with a dot as the decimal indicator.

Example: 10.5

max tokens

The maximum number of requests that can be collected in the "bucket" during peak times (see Glossary: Token Bucket Procedure).

limit per client ip4 range

Size of the range of IPv4 addresses to which the limited number of requests given under requests per seconds is to apply:

  • /0: for all IP addresses
  • /16: for every 256*256= 65536 IP addresses
  • /24: for every 256 IP addresses
  • /32: for each individual IP address

limit per client ip6 range

Size of the range of IPv6 addresses to which the limited number of requests given under requests per seconds is to apply:

  • /0: applies the limit globally
  • /16:./24:, /32, /48 and /56 applies the limit to a range of IP addresses
  • /64: applies the limit to a single network
  • /128: applies the limit to a single IP address

ip range whitelist

List of IPv4 and IPv6 address ranges (for syntax, see Specifying IP Addresses).

No restriction applies to these IP address ranges, the Limit Requests Per Second Handler is therefore not active for requests with IP addresses from these ranges.

Address ranges for private networks are already included by default.

usertext

Optional:

Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

enable logging

Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries.

When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.