Cloudflare Docs
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Find an appropriate rate limit

The Rate limit analysis tab in Security Analytics displays data on the request rate for traffic matching the selected filters and time period. Use this tab to determine the most appropriate rate limit for incoming traffic matching the applied filters.

​​ User interface overview

The Rate limit analysis tab is available at the zone level in Security > Analytics.

Screenshot of the Rate limit analysis tab in Security Analytics

The main chart displays the distribution of request rates for the top 50 unique clients observed during the selected time interval (for example, 1 minute) in descending order. You can group the request rates by the following unique request properties:

  • IP address
  • JA3 fingerprint (only available to customers with Bot Management)
  • IP address and JA3 fingerprint (only available to customers with Bot Management)

​​ Determine an appropriate rate limit

​​ 1. Define the scope

  1. Log in to the Cloudflare dashboard, and select your account and zone.

  2. Go to Security > Analytics.

  3. In the HTTP requests tab, select a specific time period:

    • To look at the regular rate distribution, specify a period with non-peak traffic.
    • To analyze the rate of offending visitors/bots, select a period corresponding to an attack.
  4. Apply filters to analyze a particular situation in your application where you want to apply rate limiting (for example, filter by /login URL path).

  5. (Optional) To focus on non-automated/human traffic, use the bot score quick filter in the sidebar.

​​ 2. Find the rate

  1. Choose the request properties (JA3, IP, or both) and the duration (1 min, 5 mins, or 1 hour) for your rate limit rule. The request properties you select will be used as rate limiting rule characteristics.

  2. Use the slider in the chart to move the horizontal line defining the rate limit. While you move the slider up and down, check the impact of defining a rate limiting rule with the selected limit on the displayed traffic.

    User adjusting the rate limit in the Rate limit analysis chart to check the impact on recent traffic

​​ 3. Validate your rate

  1. Repeat the rate selection process described in the previous section, but selecting a portion of traffic where you know there was an attack or traffic peak. The rate you have chosen should block the outlier traffic during the attack and allow traffic during regular periods.

  2. (Optional) Check the sampled logs to verify the fingerprints and filters you selected.

​​ 4. Create a rate limiting rule

  1. Select Create rate limit rule to go to the rate limiting creation page with your filters, characteristics, and selected rate limit pre-populated.

  2. Select the rule action. Depending on your needs, you can set the rule to log, challenge, or block requests exceeding the selected threshold.

    It is recommended that you first deploy the rule with the Log action to validate the threshold, and change the action later to block or challenge incoming requests when you are confident about the rule behavior.

  3. To save and deploy your rate limiting rule, select Deploy. If you are not ready to deploy your rule, select Save as Draft.