Block bursts above 10 reqs/sec

I want to block IPs that are sending more then 10 requests per second.
In the burst rate limiter in WAF i only see the possibility to measure within 10 seconds… but I can’t wait 10 seconds until the block happens, i need immediate blocking.
How to reach that? I’m on a PRO plan.

That can’t be done with rate limiting as features are fairly simple without an Enterprise plan…

Note that 10 requests could easily be made for one page as it loads the page, images, scripts and so on.

You could use a Worker, or a script on your origin, to count requests then add the IP address to a list or direct to a WAF block rule using the Cloudflare API.

That’s disappointing that there is no option to filter for actual website requests (so filter out all requests that are created based on a page request).

You can match certain things to trigger the rate limiting, but then that won’t protect other items (so you could rate limit for pages that end .html, but someone could bypass the rate limit by hitting images directly for example).

The 10s rate limit does come in immediately the limit is reached, but your only option is to limit within that 10s window. After that the hits are counted again.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.