Join our - Lead the Future of API Dev: A New Approach with Blackbird -Webinar on September 19thRegister Now

Back to blog
RATE LIMITING

Best Practices for Configuring Rate Limits to Prevent DDoS

Jake Beck
March 14, 2024 | 10 min read

In February 2018, GitHub was hit by a massive Distributed Denial of Service (DDoS) attack launched to take the site offline. The DDoS attack flooded the site with 126,900 packets per millisecond, sending over 125 GB of data to the website per second.

It worked—but only just. The site was offline for only 20 minutes before mitigation defenses to prevent DDoS kicked in to limit the attack. At the heart of these would have been rate limiting, reducing the requests that users can make in a given time frame. This simple yet highly effective strategy to prevent DDoS attacks should be one of the initial security measures you implement when deploying a service.

Here, we want to take you through how to think strategically about rate limiting and how you can implement best practices when configuring your Kubernetes API gateway.

What Are DDoS Attacks?

Many developers rightly fear DDoS attacks. ​​DDoS attacks are malicious attempts to disrupt the regular traffic of a targeted web server, service, data center, or network infrastructure by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.

Types of DDoS attack can take various forms, including but not limited to:

  • Volumetric DDoS attacks, which saturate the bandwidth of the targeted site.
  • Service DDoS attacks, which exhaust resources or services of a target.
  • Application layer attacks, which overload a specific aspect of an application or server.

These common types of DDoS attacks all share the primary objective of rendering the target inaccessible to legitimate users, causing downtime or degraded service. Techniques to prevent DDoS attacks are therefore a crucial component of a security engineer’s arsenal.

Effective mitigation to prevent DDoS attacks often involves a combination of traffic analysis, rate limiting, and filtering to distinguish between legitimate user traffic and malicious attack traffic, allowing the service to remain available to the former while blocking the latter.

If a website or service becomes unavailable owing to a DDOS attack, it can spell disaster for the business. If the DDoS attack is successful, productivity, user experience, and brand can take a hit. The result is inevitable revenue loss. That’s not all, though. A DDoS attack may provide a front for more malicious activities, such as a data breach. Since teams are overwhelmed trying to get the network back online, infiltration by hackers might go unnoticed. They can exploit vulnerabilities and gain access to unauthorized data.

Rate Limiting: a Simple Yet Effective to Prevent DDoS

The objective of rate limiting is to stop concurrent users or connections from exhausting network resources.

Rate limiting works by restricting access to a resource via some kind of filter. Often, this is the IP address. You set your API gateway to limit access to the IP address of a user:

apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
name: quote-backend
spec:
hostname: "*"
prefix: /backend/
service: quote
labels:
ambassador:
- request_label_group:
- remote_address:
key: remote_address

Here,

remote_address
will be the IP address you want to limit. We can then use this Mapping in a rate limit service:

apiVersion: getambassador.io/v3alpha1
kind: RateLimit
metadata:
name: backend-rate-limit
spec:
domain: ambassador
limits:
- pattern: [{remote_address: "*"}]
rate: 3
unit: minute

We are limiting each IP address to 3 requests per minute. The method effectively acts as a filter that weeds out malicious traffic and prevents DDos attacks. This method, however, must be appropriately configured to balance security and effectiveness. We want to allow our users to access the website or service for queries while ensuring our network infrastructure is not being maliciously attacked. Setting a rate limit that is too low may stop legitimate users from accessing the website, whereas setting a rate limit that is too high may allow malicious traffic to pass through, rendering the measure useless.

Once the threshold is hit, the system can block requests or throw an error if the limit is exceeded.

Developers can set key parameters within rate limiting. The most important is the one we’ve set here–the rate threshold. These are the maximum allowable traffic rates (above, this is set to 3). To go with the threshold, we also need a time window, the window over which the is measured (above, this is set to ‘minute’).

For DDoS attacks, it is also essential to build allowlists and blocklists:

  • Allowlists are those entities over whom the rate limit is not applied. You might need to set specific company IP addresses, as always allowed, to access pages to make sure aren’t hit by rate limits as they try to fix issues.
  • Blocklists are malicious entities over whom stricter rules are applied or blocked. With a DDoS attack, you might use monitoring to constantly add new malicious IP addresses to this list to stop these bad actors from hitting your site. This is the core of techniques to prevent DDoS when it comes to rate limiting.

You can also expand rate limiting beyond individual users. Developers can use several different rate limiting techniques:

  1. User rate limits: This method tracks the number of requests a user makes. Often, the tracking is done via the user's IP address or API key. If the user exceeds a defined limit, the limit kicks in, and further requests from the user are denied.
  2. Geographic rate limits: Sometimes, you need to limit access from a particular country or location to access their website. They can enable this by setting geographic rate limits for specific geographic regions.
  3. Server rate limits: This method allows website/application owners to set server rate limits. Since most applications are distributed, several web servers can service one application. If one server gets a surge of requests, it can either drop them or channel them to another server. This provides greater flexibility and helps balance uneven loads on different web servers.

Best Practices for Rate Limit Configuration to Prevent DDoS

Effectively configuring is crucial to ensuring optimal protection to prevent DDoS attacks while maintaining a smooth user experience. By following these best practices, organizations can strike the right balance between security and usability, ensuring their systems remain resilient in the face of malicious traffic surges.

  1. Identify vulnerable areas. Proactively identify potential weaknesses in your system that attackers could exploit. Conducting regular risk assessments, identifying vulnerable endpoints, APIs, and resources, and prioritizing gaps based on their potential impact helps focus your efforts on the most critical areas.
  2. Set appropriate limits. When setting rate limits, find the right balance between security and usability. Consider factors such as historical traffic patterns, peak usage times, typical request rates, and expected user behavior to ensure that the limits are effective without hindering legitimate users.
  3. Implement granular control. Apply rate limits at various levels to gain more targeted control over traffic. Fine control based on IP addresses, API endpoints, and request parameters allows for more precise identification of malicious attacks and helps allocate resources effectively.
  4. Use dynamic adjustments. Adapt rate limits based on real-time scenarios and past traffic patterns. Dynamic adjustments enable your system to respond to changing traffic conditions and provide more accurate protection to prevent DDoS attacks.
  5. Prevent false positives. Minimize the risk of inadvertently blocking legitimate users by employing proper configurations. Fine-tuning your rate limiting settings helps reduce false positives and ensures genuine users can access your services without interruption.
  6. Implement monitoring and logging. Establish a robust monitoring and logging system to track rate limit violations, system health, and potential security incidents. Real-time alerts, detailed logging, secure log policies, and regular log reviews help detect anomalies and enable quick response to threats.

By adhering to these best practices, organizations can configure rate limits effectively, ensuring a solid defense to prevent DDoS attacks while maintaining optimal performance and user experience.

Always Implement Rate Limiting

Rate limiting is critical to ensure your services don’t become overwhelmed. But the benefits go beyond just that.

Rate limiting helps reduce the surface area of attack by limiting malicious traffic and restricting the chances of brute-force attacks. It also helps curb costs due to unplanned and unexpected traffic surges. Application owners can set rate limits in conjunction with their budget. Alternatively, they can choose to host traffic from a particular country only.

Finally, it prevents outages. Downtime on a website or an application translates into lost sales opportunities. By helping avoid denial of service attacks, an application essentially prevents downtime and increases the chances of revenue generation.

Implementing effective rate limiting strategies is no longer an option but a necessity. By staying proactive, configuring rate limits according to best practices, and continuously monitoring and adapting to changing traffic patterns, organizations can safeguard their systems, maintain optimal performance, and deliver a seamless user experience even in the face of malicious attacks.

Edge Stack API Gateway

To try out rate limiting in action