Rate Limiting - Cost for normal traffic


There is something I don’t understand about Rate Limiting function (Firewall). If CF charges me for non-blocked traffic, and I configure a rule for whole site (to mitigate DDoS), they are billing each visit.

So I’ll pay for all traffic (no blocked), if my site has more than 10,000 visits/m, right?

10,000,000 visits/m - 10,000 (free) = 9,990,000 legitime visits/m
9,990,000/10,000 = 999 → 999*$0.05 = $49.95/m

Does this apply for cached elements? They counted as visits as well.

Am I right?


Hi @ceo4,

What you have said looks correct to me, I believe they will count the total number of requests that aren’t blocked, including any served from the cache. It is based on requests rather than visits, though.
If you have, or are considering an Enterprise plan, you may be able to negotiate custom pricing for rate limiting.

They are counting on Request like @domjh said. When your Website loads say 5 Files for each visit (HTML, CSS,JS, 2 Images) then every Visit to your Site will be billed as 5 Request as long the Visitor doesnt hit any Limit. And they will probably hit the Limit you set really quick because of this behaviour, and get kicked of your Website then.

Rate limiting is not really designed to protect entire websites, but rather to protect individual URLs such as APIs.

Cached assets should not be billed in rate limit, I believe this is something only enterprise customers would ever want to do.

Ok, I understand. I though in this function to mitigate distribuite DDoS attacks. Their requests seem natural, but coming from many IPs to many URIs. I guess that it’s expensive for this.

I have the firewall active, but that’s not enough, there are very high peaks of traffic and CF sends all requests to origin, without block them.

Did you give JS challenge a try? Using firewall rules.

That does not working well for all languages, my site is for different regions. If an user sees the challenge page in English but he/she only speaks Spanish, it’s a bounce for sure. It should be more friendly.

I use JS challenge just for high level risks.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.