Protect Against Cyber-attacks with Rate Limiting

January 24, 2019

As businesses increase their focus on ensuring IT availability, preventing cyberattacks and protecting network resources becomes pivotal in ensuring IT resiliency and up time. In your arsenal of defenses, rate limiting can be one of your most powerful tools.  

By setting limits for how many requests can be made under specific conditions, you can filter out threats while improving the security and availability of your websites and applications. The following are some of the specific threats that rate limiting can protect against.

Brute-force Login Attempts

With brute-force attacks, cybercriminals — typically using bots — submit numerous passwords to your systems with the goal of eventually getting it right. This can overwhelm your server resources. If allowed to continue, it can end with the cybercriminal gaining access.

Rate limiting can be an effective countermeasure. It allows you to limit the number of attempts a user or bot can make in a set time frame. This helps make it difficult to launch a successful brute force attack. The downside to this method is that it can affect the experience of innocent users.

However, there are ways around this. At US Signal, we use a progressive approach that balances user experience with security demands on an application-by-application basis.

For example, if you have a website portal that your employees access daily, we can establish specific access periods and allow less login attempts. To help ensure we aren’t blocking legitimate users, we could use JavaScript challenges to the browser if a user violates the rules we establish.  

If users’ login attempts continue to fail, we can implement a secondary rule that forces users to fill out captcha challenges. At some point if they’re still attempting to login but aren’t succeeding, we’d block them for a set amount of time. A custom error page could be displayed in these situations to help manage the user experience.

For applications that are used less frequently, repeatedly unsuccessful log in attempts could be due to users having forgotten their passwords. In this kind of scenario, we would implement less stringent rules.

Website Scraping

When a person clicks through a series of pages on a website, it’s not going to be anywhere near 100 webpages a second. However, a bot can do that and more. That’s why malicious bots are often used to scrape websites. They’re looking for vulnerabilities or copying web content, contact information, copyrighted images or other assets and redistributing or reusing them.

With rate limiting, you can restrict the maximum number of requests a particular IP address is able to make in a given window of time. That helps protect your websites from exploitative requests, and eliminates — or at least minimizes — data scraping during that time period.   

API Abuse or Misuse

When you have a public-facing API, it creates a failure point for cybercriminals seeking use the API to launch a DDoS attack. The attacker will send in numerous GET or POST requests, attempting to overwhelm your origin server resources or your internet connectivity bandwidth.

Rate limiting helps keep that from happening. You can also use it to set realistic limits with a timeout to make sure users don’t accidentally overuse the API.  

Online Forms

One of the simplest but most effective DDoS attack methods is to constantly send requests through a website form. This overloads the origin server and congests the network. With rate limiting, you can restrict the number of requests. That reduces the chance of cybercriminals overwhelming your origin servers.

Other Benefits of Rate Limiting

There are numerous other benefits to using rate limiting:

  • It provides another layer of granular control that helps you manage traffic and requests to your hosted applications. Some low and slow attacks can be more difficult to detect but rate limiting rules can be configured to catch and mitigate these types of threats.
  • By reducing the number of malicious and unwanted traffic, your available bandwidth is saved and kept available for good traffic and legitimate requests.
  • Granular control is achieved by setting up rules to best match human behavior for the given internet asset. By understanding how the webpage or application is normally used, you can filter out things that don’t conform or that could malicious or unwanted.
  • When rate limiting rules are triggered, they get logged, providing insights into requests that may be coming from potentially malicious sources. We can use this information to block malicious sources, and the offending IP's can be added to an IP reputation database we use to manage known threats.
     

The US Signal Approach to DDoS Protection

Rate limiting is a component of the premier tier of US Signal’s DDoS Protection service. The premier tier also includes custom web application firewall rule sets, advanced cache configurations, custom website error pages, image compression, automatic frontend code minification, script loading tools, and more.

To learn more about rate limiting and other ways to combat DNS-based volumetric and multi-vector attacks, contact US Signal. Call 866.2. SIGNAL or email us at: info@ussignal.com.