How Rate Limiting Can Stop DDoS Attacks in Their Tracks

Distributed denial-of-service (DDoS) attacks are a persistent threat to organizations of all sizes. In recent years, the frequency and sophistication of these attacks have increased, thanks to the availability of attack tools on the dark web and criminal marketplaces. From the Port of London Authority to Ukraine’s national postal service, a range of organizations were victims of DDoS attacks in 2022. While implementing more security controls can mitigate DDoS attacks, it can also result in more false positives, which can disrupt legitimate traffic and cause brand damage.

To combat DDoS attacks, security leaders are already monitoring network traffic patterns, implementing firewalls, and using content delivery networks (CDNs) to distribute traffic across multiple servers. However, rate limiting is often considered the best method for efficient DDoS mitigation, preventing 47% of DDoS attacks, according to a recent report. Unfortunately, few engineering leaders know how to use rate limiting effectively while avoiding false positives. Here’s how organizations can employ rate limiting effectively:

Understand Expected Network Traffic and Vulnerabilities

Engineering leaders often find it difficult to implement rate limiting as a DDoS mitigation tool because they don’t know what thresholds to set. The first step is to understand expected network traffic by answering several questions related to the number of users who visit an application every minute and the number of actions an application can handle. Knowing the baseline threshold for each URL within each application is useful, as it can help teams develop accurate baseline network traffic models and manage incoming and outgoing data flow effectively. These baseline thresholds can also help identify granular details on IP, host, domain, and URI vulnerabilities, which allows teams to act more quickly to thwart DDoS attacks.

Implement Custom Rate Limits on Various Parameters

Security teams want round-the-clock application availability and rely on managed services to get the most value from DDoS mitigation software. In-built DDoS scrubbers help security leaders go beyond static rate limits and customize rules based on the behavior of inbound traffic received by host, IP, URL, and geography.

To implement rate limiting effectively, teams should set rate limits on the URL rather than the domain, as hundreds of URLs get added to the domain, which can cause unnecessary blocking of legitimate requests or, if compensating by raising the rate limits, allow too many malicious requests to pass through. Customizing the rate of requests on a session level can help detect unusual behavior that may indicate malicious activity and cause servers to become overwhelmed. Monitoring rate limits at an IP level can limit the number of requests or connections from a particular IP address. Implementing geographical rate limiting and geo-fencing can help teams quickly examine IP address reputations and geolocation data to verify the source of traffic.

Minimizing False Positives

By using the above methods, application owners can set more granular rate limits based on user behavior. This, in conjunction with using DDoS mitigation mechanisms such as tarpitting and CAPTCHA before blocking requests, can minimize false positives to the maximum extent possible. Cybersecurity decision-makers must take a multilayered approach to protection by having a clear understanding of network traffic patterns and using fully managed platforms to set rate limits based on threat intelligence.

In conclusion, cybersecurity teams can use rate limiting as an effective tool to combat DDoS attacks by understanding expected network traffic and vulnerabilities, implementing custom rate limits, and minimizing false positives. A multilayered approach to protection is essential to defend against DDoS attacks. By taking these steps, organizations can protect their networks and minimize the impact of DDoS attacks.