Rate Limiting & Firewall Log Help Needed

#1

Hi
All this week (at the same time each day pretty much) I have been having repeated DDOS attacks and have been mitigating them manually with a combination of IP Blocks and User Agent Blocks.
I would like to move to a Rate Limit system so that I don’t have to sit at my computer each night, but I have some questions:
All the attacks are hitting either:
example.com/
(see this image) ddosuri
or
example.com/index.php
My questions are:
Do I need to specific the “/” on the first example or should I just put example.com in that field? (I assume yes I must specify the “/”)
& do I need to specify www.example.com/ and www.example.com/index.php as well as example.com/ and example.com/index.php?
Can I have an unlimited number of “Rate Limits”?
If I can how does billing work if I have more that one? Simply all non-blocked traffic is paid for regardless after the first 10’000? (This is what I assume)

Further to the Rate Limiting question does blocking an IP that hits my index.php file more than 10 times in 1 minute seem ok or excessive? I can’t imagine many instances whereby a legit user of my site would load the index more that 10 times in 1 minute but some advice on this would be appreciated.

I also have a Firewall Log question:
How to I exclude an IP from the Firewall Log so I can see what other IP’s I need to deal with?
For example I often set up a User Agent block to quickly deal with a mass of hits from dodgy IPs then want to go through the Log and block each IP individually. But there can often be thousands of requests from a single IP meaning I have to click through pages and pages and pages of Logs showing the same IP, how do I exclude that IP so that I can see other entries?

Thanks in advance for any help you can give!

UPDATE

OK so further to this, how long does it take for this to start working?
I just tried to set up *example.com/index.php and set it as block an IP after hitting that string for more than 10 times in 1 minute. I just hit it 20 times and didnt get blocked (my IP is not whitelisted etc…)
So then I tried www.example.com/index.php same happened, it didn’t block.
Am I doing something wrong, is there a delay between implementation and effective rate limiting? How long a delay?
Thanks again in advance

2nd UPDATE

So I must be doing something wrong but I dont know what
I have tried the following (all are active in the webpanel):

www.example.com
example.com
www.example.com/index.php
example.com/index.php

All set to block an IP that hits any of those over 10 times in 1 minute.
I have hit the homepage 20 times and more, yet it is not blocking me.
I have tried from 2 different IPs just to be safe, same result.
Is this going to be a delay in getting it pushed out to the edge server or have I done something incorrectly?
If it is a delay how long a delay does it normally take?
If I have done something wrong please just let me know
Below is an image of what I have set for one of the rules, what is wrong with it / why is it not working?
ddoswhatiswrong
Thanks in advance

0 Likes