Why traditional rate limiting falls short against DDoS attacks

In the fast-evolving landscape of cybersecurity, staying ahead of threats is paramount. Security operations centre (SOC) teams are on the frontlines every day, dealing with the consequences as emerging threats outsmart traditional rate limiting protections.


Sharon Shitrit, director, product management for Radware, says that given recent shifts in the threat landscape, it’s time to take a look at innovative automated security measures.

Rate limiting is a security technique used to control and manage traffic flows to a network, particularly in the face of Distributed-Denial-of-Service (DDoS) attacks. It is designed to restrict traffic that exceeds a certain threshold level, such as connections rate, packet rate, bandwidth or other.


Administrators are required to be security experts and define these thresholds in advance to prevent network congestion and sudden traffic spikes.


While rate limiting techniques can be valuable for traffic shaping, they become less effective in the face of advanced multi-vector DDoS attacks and especially application Web DDoS vectors. Today’s Web DDoS vectors imitate legitimate traffic to thwart security systems and lead to collateral damage to the legitimate traffic.


These attacks have been observed at several million RPS, impacting major enterprises and lasting for hours.


For example, recently a large European hospital network was the target of a Web DDoS campaign. The network, which serves more than 10 million patients annually, became the target of an international hacktivist group that generated a dozen major attack waves over a period of six weeks.


The attack vectors were comprised of short bursts with up to 50K requests per second each and pseudo-random request headers that resembled legitimate requests.


Applying a naive rate limit in such scenario can lead to false positives, deny access from legitimate users, and severely damage the web service. Rate limiting is applied on all incoming traffic, without segmentation between the malicious and legitimate traffic, therefore it is a risk on legitimate traffic.


There are additional undesired impacts due to rate-limiting mechanisms:


Turns away website visitors
Using rate limiting to manage traffic can accidentally limit potential website visitors. Once a traffic threshold is exceeded, new connections get blocked, which might work well in an attack scenario, but not so well to accommodate a surge in online shopping traffic on Black Friday. This impacts the digital experience, brand reputation and sales.

Drives down conversion rates
Rate limiting does not just limit website traffic during an attack. It also makes the website slower for visitors who are already there. This can be frustrating for users and negatively impact conversion rates by discouraging them from making purchases, signing up for offers, or engaging with a site.


Creates endless configuration challenges for SOC operations
Rate limiting can not only hinder the user experience but also introduce a maintenance challenge for the SOC team. SOC teams face the ongoing task of tracking and fine-tuning configurations and thresholds. This continuous effort is necessary to adapt to changes in user behavior, evolving traffic patterns, and emerging cyber threats. The need for constant attention and manual adjustments highlights another limitation of relying solely on a rate limiting approach.


The shortcomings of rate limiting along with a rapidly evolving threat landscape is prompting organisations to critically reassess their security posture and consider more advanced protections.


Behavioural protection, for example, is a more sophisticated approach that unlike conventional rate limiting leverages machine learning to surgically,with precision and accuracy,detect and mitigate anomalies based on learned patterns of legitimate traffic.


The standout feature of behavioural protection lies in its ability to automatically adapt to the dynamic nature of modern DDoS attacks, and consistently learn from customer traffic to automatically fine-tune baselines. This ability to adapt enhances the security infrastructure, translating to an improved user experience and sustained business continuity, while also assisting the SOC team in focusing on critical tasks.

Relying on behavioural protections, SOC teams can optimise their operations and significantly reduce time to mitigate. Operating in real-time, behavioural protection swiftly identifies and responds to emerging threats, minimising the impact of attacks. This proactive approach substantially reduces false positives, ensuring minimal disruptions for legitimate users while surgically mitigating the attack traffic.


While rate limiting has historically served as a ‘good-enough’ defence, its pitfalls are being magnified by increasingly sophisticated threats designed to create severe collateral damage on legitimate traffic. Its ineffectiveness in mitigating complex attacks, impact on legitimate traffic, and challenges for the SOC are prompting organisations to rethink their reliance on this security approach.


As attacks evolve, so must security solutions. Behavioural-based protection offers enhanced accuracy, automation, adaptability, and fast time to mitigation—an approach that should be considered by any organisation wanting to modernise its security posture.