Rate limiting : DoS prevention : Configuring application-layer DoS protection : Limiting the total HTTP request rate from an IP
 
Limiting the total HTTP request rate from an IP
You can limit the number of HTTP requests per second, per source IP address.
This feature is similar to DoS Protection > Application > HTTP Flood Prevention. However, this feature can prevent HTTP request floods that involve many different URLs. It also can detect source IP addresses that are shared by multiple clients, and intelligently enforce a separate request rate limit for those IPs, even if those clients do not support cookies.
FortiWeb appliances track the rate of requests from each source IP address, regardless of their HTTP method. If the rate of requests exceeds the limit, FortiWeb performs the Action.
 
This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.
To configure an HTTP request rate limit
1. Before you configure the rate limit, enable detection of when source IP addresses are shared by multiple clients. For details, see “Advanced settings”.
 
If you do not enable detection of shared IP addresses (Shared IP) , the second threshold, HTTP Request Limit/sec (Shared IP) will be ignored.
2. Go to DoS Protection > Application > HTTP Access Limit.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions”.
3. Click Create New.
A dialog appears.
4. Configure these settings:
Setting name
Description
Name
Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
HTTP Request Limit/sec (Standalone IP)
Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is a single HTTP client.
For example, if loading a web page involves:
1 HTML file request
1 external JavaScript file request
3 image requests
the rate limit should be at least 5, but could be some multiple such as 10 or 15 in order to allow 2 or 3 page loads per second from each client.
For best results, this should be at least as many requests as required to normally load the URL. When a client accesses a web application, it normally requests many files, such as images and style sheets, used by the web page itself. If you set limits too low, it can cause false positive attack detections and block requests. In extreme cases, this could prevent a single web page from fully loading all of its components — images, CSS, and other external files.
The valid range is from 0 to 65,536. The default value is 0. Fortinet suggests an initial value of 500. See also “Reducing false positives”.
HTTP Request Limit/sec (Shared IP)
Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is shared by multiple HTTP clients.
Typically, this limit should be greater than HTTP Request Limit/sec (Standalone IP).
For example, let’s say a branch office with 10 employees is accessing your web site. Some solitary telecommuters also access your web site. Each telecommuter has her own IP address. However, the 10 people at the branch office are behind a firewall with NAT, and from the perspective of the Internet appear to have a single source IP address. If the appropriate rate limit for solitary telecommuters is 20 requests/sec., a fair rate limit for the branch office might be 200 requests/sec.:
20 requests/sec/person x 10 persons = 200 requests/sec.
The valid range is from 0 to 65,536. The default value is 0. Fortinet suggests an initial value of 1000. See also “Reducing false positives”.
Note: If detection of shared IP addresses is disabled, this setting will be ignored and all source IP addresses will be limited by HTTP Request Limit/sec (Standalone IP) instead. See “Advanced settings”.
Real Browser Enforcement
If you want to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit, enable this option. If either the client fails the test, or if it does not return results before the Validation Timeout, FortiWeb will apply the Action. If the client appears to be a web browser, FortiWeb will allow the client to exceed the action. See also “Bot analysis”.
Disable this option to apply the rate limit regardless of whether the client is a web browser such as Firefox or an automated tool such as wget.
Validation Timeout
Enter the maximum amount of time that FortiWeb will wait for results from the client for Real Browser Enforcement.
Action
Select which action the FortiWeb appliance will take when it detects a violation of the rule:
Alert — Accept the request and generate an alert email and/or log message.
Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See “Customizing error and authentication pages (replacement messages)”.
Period Block — Block subsequent requests from the client for a number of seconds. Also configure Block Period.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See “Customizing error and authentication pages (replacement messages)”.
Tip: For improved performance during a confirmed DDoS, select this option. Attackers participating in the DoS will then be blocked at the IP layer, conserving FortiWeb resources that would otherwise be consumed by scanning each attacker’s request at the HTTP layer, compounding the effects of the DDoS.
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “Defining your proxies, clients, & X-headers”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.
The default value is Alert.
Caution: This setting will be ignored if Monitor Mode is enabled.
Note: Because the new active appliance does not know previous session history, after an HA failover, for existing sessions, FortiWeb will not be able to enforce actions for this feature. See “Sessions & FortiWeb HA”.
Note: Logging and/or alert email will occur only if enabled and configured. See “Logging” and “Alert email”.
Note: If you will use this rule set with auto-learning, you should select Alert. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning.
Block Period
Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.
This setting is available only if Action is set to Period Block. The valid range is from 1 to 10,000 (2.78 hours). The default value is 0. See also “Monitoring currently blocked IPs”.
Severity
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:
Low
Medium
High
The default value is High.
Trigger Action
Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See “Configuring triggers”.
5. Click OK.
6. Group the rule in a DoS protection policy (see “Grouping DoS protection rules”) that is used by a protection profile.
7. Enable the Session Management option in the protection profile.
Attack log messages contain DoS Attack: HTTP Access Limit Violation when this feature detects a multi-URL HTTP flood. See also “Log rate limits”.
Example: HTTP request rate limit per IP
If you set 10 per second for both the shared and standalone limit, here are two scenarios:
A client opens 5 TCP connections, where each connection has a different source port. Each TCP connection creates 3 HTTP GET requests. The FortiWeb appliance blocks the extra connections as there are 15 HTTP requests overall, which exceeds the limit.
A client opens a single TCP connection with 12 HTTP GET requests. The Period Block action is set. Once the count exceeds 10, the FortiWeb appliance blocks all traffic from the client for the specified block period.