Having big issues setting up Rate Limiting rules - not working -Help!

We are having a lot of difficulties setting up Rate Limiting rules to combat Fraud Bot activity on our site. We have click fraud bots that come from our PPC campaigns and cycle through pages on our site. We are able to track them and know the pattern or pages they use on our site. I can share more details on this data if needed.

we setup a few rules to block their movement but they are not working, cant figure out if what we setup is correct or not ? or what can be wrong. Attached are two rules

Rule 1 - The way we understand it, the first condition tells the system if there is a request for the link that contains the listed string in the URL and the page /guarantee then block the IP. or if its any of the other 3 /pages also block it. Request is set to 1 and period is 10 min. The key part here is the initial utm_source=bing&utm_medium=cpc query string which is the starting point for every bot. Once they hit any of the other 4 listed static pages, we want them gone and blocked.

But its not working , we tried to test it by mimicking the behavior of this bot to match this rule and nothing gets blocked.

The second rule we have simply the same query string, with setting of Request is set to 3 and then block. Because some bots cycle though new clicks with new PPC term and real user will only have 1 term

If some one can help PLEASE, support is not providing much information on this. Not sure what we are doing wrong, but we have to block these bots that sit on our site and cycle through our paid links and budget.

Thank you in advance!

Hello @boris13

I’ve noticed similar issues with Rate Limiting, and how the system seems to handle multiple “OR” expressions in this way.

I suggest trying this:

I do find it curious that the second rule is not working at all. If all it has is the Query String as specified, the only reasons I can think of why it wouldn’t be working are, a WAF rule which is matching first, and has a “Skip” action for Rate Limiting Rules. Or, the traffic’s Query String isn’t matching this exactly.

Please let me know if you have any questions or require further assistance!

CJ313

Thank you!! @CFBrandon We will try your suggested adjustment, hopefully we see some action on that one and see what happens.

In regards to the 2nd one. Can you elaborate what you meant but " WAF rule which is matching first, and has a “Skip” action for Rate Limiting Rules." what does this mean? and is this something that can be adjusted or changed somewhere?

Thanks again!

Under Security > WAF, the Custom Rules have a Skip property called “Skip Rate Limiting Rules”. If the incoming traffic is matching a Custom Rule with that property, Rate Limiting will not be enforced.

I saw a rule for Known Bots, which are bots we have verified. If you filter the Security Events by ‘Query String contains’ and your value, you will see the Skip rule working.

Please let me know if you have any questions or require further assistance!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.