Using Rate Limiting to Protect against DDoS and Brute Force Attacks


Using Rate Limiting to Protect against DDoS and Brute Force Attacks

Distributed denial-of-service (DDoS) and Brute Force attacks are a growing problem for e-commerce sites. DDoS attacks can paralyze your e-commerce site by overwhelming servers, network links, and network devices (routers, firewalls, etc.) with bogus traffic. Brute-force attacks attempt to overwhelm a website by rapidly trying many password combinations. While integrating technology into our homes has provided us with many conveniences, the rapid proliferation of insecure internet of things (IoT) devices has made it much easier to create botnets that have the potential to rapidly overwhelm and disrupt your business.

Although these types of attacks have traditionally been difficult to detect and defend against, there is a solution. We have found rate limiting to be a way to successfully thwart both DDoS and brute force attacks. Rate limiting creates rules that limit traffic coming from specific sources within defined time limits. For example, if requests from a particular IP address exceed a threshold, such as 20 per hour, requests matching the IP address will be blocked for a defined length of time. To determine the threshold your business should use to prevent DDoS attacks, review your server logs to find clients making malicious requests. Once you know the rate at which these requests typically happen, you can set a limit that is below that rate. These rates can be adjusted over time.

Rate limiting for brute force attacks works in a similar way. In brute force attacks the requests are typically made more rapidly than a human user, for example – 5 logins within 30 seconds. Therefore in this case, the limit would be set to a rate faster than a human user could achieve.

Rate limiting can be achieved through Cloudflare, which is included in all Solvature’s hosting management plans. Cloudflare provides services that enhance website security and performance. By enabling rate limiting, you can protect your business against both DDoS and brute force attacks.