Rate limiting not triggering

I’ve had a particular subdomain and (non-existent) path getting multiple requests per second from a number of different sources. It tends to be the same couple countries, and the IP will change after a couple hundred attempts or so. I set up a rate limit rule to cover http & https to that sub.domain.com/path but it seems like it’s only working intermittently.

I reduced the limit to 3 requests per 10 seconds which should have caught a lot of them, and to block for an hour, but when I go to the analytics > security page, I can see that in the past 12 hours only a handful have been reported (like 15 or so) and none have been logged or blocked. I can still see these attempts in my firewall events,

Have I missed a crucial step somewhere, or could another firewall rule be preventing this? None of my firewall rules include bypass which I thought was the only thing that would not trigger rate limiting.

Thanks for any help or pointers.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.