HTTP Flood Protection

Overview

The Rate Limiting module protects applications from excessive or abusive traffic by controlling how many requests a client can send within a defined time window.

This module is a critical defense mechanism against:

  • HTTP Flood attacks

  • Brute-force attempts

  • Automated scanning

  • Abnormal or sudden traffic spikes

The Rate Limiting page provides visibility into clients that exceed configured thresholds and shows the actions taken by the WAF.

Rate Limiting Page Overview

This page lists all IP addresses that have triggered rate-limit rules on any protected application.

For each entry, users can view:

  • Source IP address and geolocation

  • Target application

  • Triggered rule details (request count and time window)

  • Block duration applied

  • Total number of blocked requests

  • Start time of the rate-limit event

  • Current block state (Blocked / Unblocked)

This overview enables operators to quickly identify abusive clients and evaluate the effectiveness of rate-limit rules.

Filters

To narrow down visible rate-limit events, the following filters are available:

IP Address

Displays events triggered by a specific source IP.

Application

Filters events by the protected application.

Start At / End At

Filters events by date and time range.

Clear Filters

Resets all filters and returns to the full event list.

These filters simplify investigations when handling a large number of rate-limited clients.

Rate Limiting Table Details

Each row in the table contains summarized diagnostic information:

IP Address

The client IP that exceeded rate-limit thresholds. Country information is shown for geographic context.

Application

The application receiving excessive traffic from the IP.

Detail

Summarizes the triggered rule, for example:

“2 requests within 10 seconds – Basic Access Limit was triggered”

This information describes:

  • Number of requests received

  • Time window in which the requests occurred

  • Which rate-limit rule blocked the traffic

Blocked

Total number of requests blocked during the rate-limit event.

Start At

Timestamp when the rate-limit event began.

State

Indicates the current status of the IP:

  • Blocked – the IP is still under a rate-limit penalty

  • Unblocked – the penalty period has expired

Bulk Actions

The Rate Limiting page allows administrators to perform bulk operations.

Unblock All

Immediately removes all active rate-limit blocks.

This action is useful when:

  • Updating or tuning rate-limit thresholds

  • Testing traffic behavior or rule changes

  • Resetting blocks after maintenance or security incidents

PreviousAllow & Deny RulesNextBot Protection

Last updated