We have advanced rate-limiting feature enabled.
We wanted to achieve a RL rule that will count 404 responses and block traffic above 10requests (so ten “404”, right ?) per min.
Sounds easy, but after some tests, the results are not what we expected : we put the rule in log mode and some matches are on existing URI path…
I’m trying to explain the use case we want to deal with: some massive automated and distributed traffic was targeting a non-existing URI path and Web server front end resources were almost saturated just by delivering 404 web page. We don’t want to block a specific non-existing path, as by definition you can target an infinite non-existing path on a website. That’s why we thought using RL + Response code count could be a solution to our problem.
Yes all requests contains “toto.com” (which is a dummy name) but for the moment cache is completely bypassed due to an old issues, I’ll push to have it reactivated ASAP.
@jnperamo I can’t as toto.com was a dummy name to post my message here.
But in the Security Events, if I filter on this rule, I can see path that are existing, so with response code like 200, 302 etc.
I also had a Ray ID from a legitimate user trying to access a legitimate path, and ray ID was pointing to this rule as well (at that time rule action was “block”)
Please avoid using real domains as placeholders. It is especially important when they are not your domains.
There are domains like example.com that have been permanently reserved for such use by RFC 2606 and RFC 6761. Please use one of those so that you don’t waste people’s time examining a domain that isn’t relevant to your request.
