Service StatusSupport Hub[email protected]
Documentation

Rate limiting

Suggest Edits

Bunny Shield's rate limiting is a critical feature of its Web Application Firewall (WAF) that helps prevent abuse of your web resources by controlling the number of requests a client can make to your application within a given timeframe. This feature is essential in mitigating brute force attacks, Distributed Denial-of-Service (DDoS) attacks, and other types of automated abuse.
In this section, we’ll guide you through configuring rate limiting rules to protect your application effectively without impacting legitimate users.

What is rate limiting?

Rate limiting is a technique used to control the flow of incoming traffic to a server by restricting the number of requests a client—be it a user, an IP address, or a specific application—can make within a predetermined period. When a client exceeds the defined request limit, additional requests are either blocked or delayed. This mechanism is essential in preventing server overload, mitigating abusive behavior, and ensuring the fair use of resources.

In the context of Bunny Shield's WAF, rate limiting can be finely tuned to match your application's specific needs. It allows you to set thresholds based on various criteria, providing flexibility in how you manage and protect your web resources.

Common use cases

Brute force protection

Brute force attacks involve an attacker attempting to gain unauthorized access to user accounts by systematically trying numerous password combinations. By implementing rate limiting on login endpoints, you can:

  • Limit the number of login attempts from a single IP address or user within a certain timeframe.
  • Reduce the risk of unauthorized access by slowing down or blocking repeated failed login attempts.

Distributed denial-of-service (DDoS) mitigation

DDoS attacks aim to overwhelm your server with a flood of requests, rendering your application unavailable to legitimate users. Rate limiting helps mitigate the impact of such attacks by controlling the rate of incoming requests from suspicious IP addresses or ranges. Rate limiting helps mitigate the impact of such attacks by:

  • Controlling the rate of incoming requests from suspicious IP addresses or ranges.
  • Ensuring your server remains responsive during an attack by setting appropriate request thresholds.

API abuse prevention

APIs are often targeted for abuse due to their automated nature and potential access to sensitive data. Rate limiting protects your API endpoints by:

  • Restricting the number of requests allowed from a single IP address or user within a specific timeframe.
  • Preventing activities like data scraping, unauthorized data harvesting, and other forms of API misuse.

Bot traffic control

Automated bots can generate significant non-human traffic, consuming server resources and affecting application performance. By implementing rate limiting, you can:

  • Throttle or block requests from bots that exceed normal usage patterns.
  • Maintain optimal performance levels and protect against bots attempting to exploit vulnerabilities or scrape content.

Updated about 16 hours ago

What’s Next