curl -X GET https://api.cloudflare.com/client/v4/zones/the_id/rate_limits -H 'X-Auth-Email:xxxxxx\@xxxxxx.com' -H "X-Auth-Key: xxx" -H 'Content-Type: application/json';
Where the_id is replaced with the identifier for the domain assigned by cf.
returns this for a domain that has a rate limit rule, the rule is therefore not being listed:
Also, trying to set a rule via the api returns
Hey there, sorry for the confusion here but that looks like the API endpoint for the previous version of Rate Limiting.
You can find the documentation for the new version here:
Hope that helps!
That did work indeed, thank you so much. I think I found the old page by searching on Google.
I came to rate limiting by just stress testing one of our sites earlier today and realising that no matter how many concurrent requests I sent via cf to the server I would not be stopped by default. Is there no default for cf to determine that many concurrent requests from the same ip over a long period of time is probably a DDOS? I was sending 900 concurrent requests per batch using ab for more than a minute.
My other consideration is that on free plans the blocking period is fixed to 10 seconds which seems odd because an attacker can just use a small bunch of different ips and the entire protection is rendered worthless if the ips gets unbanned after those 10 secs.