Verizon Digital Media Services is pleased to announce the general availability of HTTP Rate Limiting, as part of our Verizon DEFEND product. HTTP Rate Limiting is designed to mitigate application layer (Layer 7) distributed denial-of-service (DDoS) attacks and help customers manage the traffic load on their websites. Combined with our Web Application Firewall (WAF), it will help ensure the security and performance of our customers’ websites.
Application layer DDoS attacks are often mounted by attackers using thousands of globally distributed computers to send floods of HTTP requests to websites. These attacks can overwhelm the targeted websites, rendering them inaccessible or unusable to legitimate users, potentially causing severe loss of business.
DEFEND HTTP Rate Limiting empowers our customers with the following key features to mitigate such attacks:
- Flexible per-second, per-minute and per-hour rate limits: Per-second rate limit is designed for ultra-fast action against the initial stages of DDoS attacks where attackers often sharply increase the traffic to a website. Without fast mitigation, a website can be impacted within seconds. Per-minute and per-hour rate limits are designed to mitigate sustained DDoS attacks and manage clients that send a high volume of malicious traffic over a large period of time. Such clients are often bots designed to scrape competitive business information from websites.
- Rate limits at individual client and global level: While global rate limits help customers limit the HTTP requests to a reasonable overall rate that their website can handle, rate limits based on individual clients help customers distinguish malicious clients from legitimate users based on the request rates and take action.
- Flexible enforcement actions: Customers can block the requests that violate rate limits, redirect those requests or configure custom actions that allow them to choose the HTTP response code, response body and headers they want to return. Customers can also use the alert action to safely apply initial rate limits, monitor the impact on their website and fine-tune their rules before any disruptive action is taken.
- Extensive traffic filtering using request attributes: Customers have the ability to apply multi-level filtering conditions using request attributes, such as HOST, URL, Referer, Client IP and User-Agent. These conditions give the customers flexibility to address a wide variety of attacks and to minimize false positives.
- Ultra-fast configuration changes and real-time data display through our DEFEND Portal: All the configuration options mentioned above are available to customers in the DEFEND portal. Configuration changes made to Rate Limiting rules propagate throughout our global network under five minutes on average. Real-time HTTP event log data on rate limiting violations is also available in our DEFEND portal.
- APIs for configuration and event log data access: We are committed to customer empowerment through APIs, and HTTP Rate Limiting comes with configuration and event log APIs from day one. Customers can use the APIs to programmatically create and modify rules and to fetch real-time event log data for further analysis. The APIs also allow integration with Security Information and Event Management (SIEM) tools.
- Self-service with flexible professional services: Although we have designed the Rate Limiting feature with self-service in mind, we have a professional services team to help customers tailor the configuration of rules based on their exact security requirements.
HTTP Rate Limiting takes our DEFEND product to the next level in terms of security and flexibility. As the reach of the internet grows, application layer attacks are likely to grow in severity and frequency. HTTP Rate Limiting helps our customers stop those attacks at the edge of the internet.
For more information on HTTP Rate Limiting, please consult the Help Center documentation in our Media Control Center (MCC) or contact us.
Vikas Phonsa, Senior Product Manager – Security Solutions