It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

How to Configure Rate Control

  • Last updated on

Rate Control

The Rate Control policy defines shareable policies for controlling the rate of requests to a web application. The Client/HTTP requests are delivered to an application server, or parts of it, which can get overloaded with peak traffic and create high response at times. The Barracuda Web Application Firewall Rate Control policy prevents application servers from being overloaded. A Rate Control pool specifies the maximum number of active requests and client backlogs along with a set of preferred clients. A preferred client specification defines a range of IP addresses and an associated weight. The Barracuda Web Application Firewall uses these weights to perform a weighted round robin scheduling between queues when forwarding requests to the application server from the rate control pool. You can set a Rate Control pool to limit the client requests. The Barracuda Web Application Firewall collects requests and queues them in the pool. The back-end application servers receive requests from the pool at the rate specified.

A default Rate Control pool is provided by the Barracuda Web Application Firewall that allows the easy set up of Rate Control. You can apply the Rate Control policy by associating a Rate Control pool to a service on the BASIC > Services page or to a URL policy on the BOT MITIGATION > Bot Mitigation page. To select a Rate Control pool, edit the desired service or add a URL policy. To create a custom Rate Control pool, go to the ADVANCED > Libraries > Rate Control Pool section and click Add Rate Control Pool

Before Setting Up a Rate Control Pool

Answer the following questions:

  1. What are the maximum simultaneous requests that can be served by the resource being protected? This determines the Maximum Active Requests setting.
  2. What, if any, are the bona fide gateways and mega-proxies that will be accessing the protected resources? These are Preferred Clients. If they proxy client requests, assign a suitable weight to the proxy IP address, and if they relay a set of client IP addresses, then assign a weight to the range of IP addresses.
  3. What is the maximum queue to allow for IP addresses not defined in Step 2? This defines the Maximum per client backlog setting.
Benefits of a Rate Control Pool

A Rate Control pool helps defend against rate control attacks in the following ways:

  • It throttles attackers attempting to flood the application with DoS attacks. The requests get queued for weighted round robin scheduling, slowing down the request rate seen by the server.
  • It protects load-sensitive applications, such as search or DBMS intensive applications, from application DoS attacks.
  • It allows bona fide gateways and mega-proxies access while preventing attacks.
Scheduling Algorithm for Rate Control Pool

The scheduling algorithm between queues is a weighted round robin. Implicitly, the weight of each unconfigured client queue is 1. For example, a preferred client is defined with weight 5 and at a given time the Barracuda Web Application Firewall has queues for 2 unconfigured clients with a few requests in each. The Barracuda Web Application Firewall will serve 1 request from each unconfigured client queue followed by 5 requests from the preferred client queue.

Rate Control policies can be specified per service or per URL policy. Rate Control pools are defined on the ADVANCED > Libraries page. These Rate Control pools are globally shareable among services, among URL policies, or among both. The created Rate Control pool can be associated with multiple services on the BASIC > Services page when you edit a service in the Services section. It can also be associated with multiple URL policies on the BOT MITIGATION > Bot Mitigation page when you add a URL policy in the Bot Mitigation Policy section.

Customizing Rate Control Pool

From the ADVANCED > Libraries > Rate Control Pool page, use Edit or Add Rate Control Pool to customize a Rate Control pool. Set the following values:

  • Rate Control Pool Name – Enter a name for the new Rate Control pool.
  • Maximum Active Requests – Enter the maximum number of active requests processed at a given time by the Barracuda Web Application Firewall. An active request is a request that has not fully completed.
  • Maximum per client backlog – Enter the number of requests per client IP address that will be queued when the Barracuda Web Application Firewall has reached the Maximum Active Requests limit. For example, if Maximum Per Client Backlog is set to 32 and the Barracuda Web Application Firewall is processing the default 100 Maximum Active Requests, then for any given client IP, the Barracuda Web Application Firewall will queue up to 32 requests. Any requests after that will be dropped until a request is deleted from the queue.
  • Maximum Unconfigured Clients – Enter the maximum number of unconfigured clients. All clients that are not preferred clients are unconfigured clients. For each unique client IP, the Barracuda Web Application Firewall will maintain an individual backlog queue. For example, if Maximum Unconfigured Clients is set to 100 and Maximum Per Client Backlog is set to 32, the Barracuda Web Application Firewall will maintain 100 queues each with 32 pending requests, a total of 3200 pending requests.

Click Add to save the configuration.

Use Add Preferred Clients to add a single or range of IP addresses to the pool that gets preferred treatment. Each preferred client has a configured Weight and its own queue containing Max Per Client Backlog times Weight. For example, if Max Per Client Backlog is set to 32 and preferred client Weight is set to 5, then the queue size will be 32 x 5. If the preferred client queue contains a range of IP addresses, the queue will include all requests from all the clients falling within that range.

Creating Preferred Clients

Click Add Preferred Clients, under Options. The Add Preferred Client window appears. Specify values for the following fields:

  • Name – Enter the name for the client weight.
  • Status – Sets the status of the preference. Enabling this makes the client IP address range a preferred list of IP addresses.
  • Preferred Client IP Range – Enter the IP address or the range of IP addresses (for example: 10.0.0.1 – 10.0.0.10) that will be treated in a preferential manner. Preferred client is an IP address or a range of IP addresses with an associated weight.
  • Weight – Enter the weight for the range of IP addresses. These IP addresses are evaluated in the order of their weights; the higher the weight the higher the precedence (1 is the lowest priority and 100 the highest priority).

Click Add to save the configuration.

Click Delete to delete the created Rate Control pool from the list.