Rate Limiting Question


#1

I just set up a rate limiting rule that looks like this:
http and https website.com/*
From the same IP address exceeds 10 requests per second.
Block for an hour.
I have a couple of questions.

  1. Is the rate too tight, ending up blocking legitimate users?
  2. Will this affect legitimate bots such as bing bot and google bot?

Thanks,

Dorian


#2

That fully depends on your site. If you have enough resources embedded it might.


#3

there is no real easy way to know…

if you are not under ddos attack right now I can only recommend you to change it from block to Challenge and depend on your website traffic come back and check the Rate Limiting graph in analytics tab to see how many users got challenged, if non than the rule is ok, if not you will need to dig deeper


#4

Thanks for the help.
I changed it to challenge with 15 requests per second.

Do you guys know if this includes bots?

Thanks,