Using rate limiting for website protection has significant drawbacks when it comes to your business. Here are four ways rate limiting is costing you money, and what you can do about it.
There’s no point in being coy about it: if you use rate limiting to protect your website, then you’re probably losing business because of it.
Rate limiting is a frequently used tool to defend against network and application-level DDoS attacks against websites. When the rate of incoming requests becomes too great for the website to handle, rate limiting is applied to restrict the amount of incoming traffic.
To illustrate this concept, picture a public water conduit with clean water flowing through half of it. Now suppose the water being mixed with contaminated water from another river, doubling the volume of the water in the pipe and causing the conduit to overflow.
Traditional rate limiting will focus on limiting the total amount water flowing through the pipe. As a result, new water (contaminated or not) will be blocked from entering the pipe until the volume goes down. Although this may keep the water flowing, rate limiting measure will not block bad water from entering the pipe (or separate good water from bad water), leaving the entire flow contaminated.
Most cloud-based Web Application Firewall (WAF) services today use rate-limiting as the standard mitigation method for application-layer (L7) DDoS attacks. However, just because it’s a common practice does not mean that it’s a good way of protecting your website.
In practice, rate limiting has significant drawbacks with regards to website performance speeds, which – in turn – impact the revenue generated from the website, and ultimately your company’s bottom line.
Here are four ways rate limiting is losing you money:
1. Turning away visitors: Rate limiting restricts the number of connections to the website, which – in turn – restricts the number of visitors to the website. Above a certain traffic threshold, all new connections will be blocked.
Turning away visitors is particularly a problem during periods of peak traffic, such as holidays, sales promotions, or product launches which generate flash crowds. Instead of helping you protect your website during these critical times of peak revenue, rate limiting actually inhibits your website’s ability to serve visitors.
As web page speed is also a factor in Google’s SEO rankings, this means that with rate limiting, customers will be less likely to find, reach, or browse your website.
2. Decreasing conversion rates: Rate limiting will not only stop new visitors from reaching your website, but will also slow down visitors who are already on your website.
Website performance is a well-known key factor in impacting shopping conversion rates. Forty percent of visitors will abandon a page that takes more than three seconds to load, and studies have shown that a one-second improvement in load-time can improve conversion by 7%.
The average web page is now over 3.3 MB in size and generates over 30 TCP connections per page. Rate limiting will inevitably slow web page performance, even for users who are able to connect, because of incomplete connections and page time-outs. These users will be far less likely to convert, meaning that online shopping revenues will be reduced.
3. Shopping cart abandonment: Another aspect of reduced website performance by rate limiting is shopping cart abandonment. Studies show that almost 70% of shopping carts are abandoned even after customers have already placed products in them. However, 67% of U.K. shoppers and 51% of U.S. shoppers have said that site slowness is the top reason they’ve abandoned a purchase. Using rate limiting will increase page load times, and therefore increase shopping cart abandonment.
These figures show that websites that rely on online purchases and shopping have enough of a challenge getting customers to convert even without the added burden of rate limiting. These are pretty compelling numbers to keep in mind when considering rate limiting as a means of protecting your website.
4. Doesn’t stop the bad guys: Finally, it needs to be pointed out that rate limiting doesn’t actually stop bad traffic from reaching your website. Rate limiting – as the name implies – limits the rate of incoming connections. It is a brute-force mechanism for capping the amount of total traffic.
However, rate limiting does not distinguish between good and bad traffic. Rather, it will just reduce the overall amount of traffic to levels that your server hardware can handle. Moreover, the ratio between legitimate and malicious traffic will not change, and bad traffic will still reach your website. If a DDoS attack is flooding your website with 50% bad traffic, then after applying rate limiting, the ratio of bad traffic will still be 50%…
Going back to the water pipe example above, rate limiting will restrict the total amount of overflowing water, but it will not make the water clean, nor will it block contaminated water. Rather, you will still have to deal with a mix of clean and contaminated water – which will usually render all of it unfit for consumption.
So what can you do about it?
If you’re looking to protect your website without the drawbacks of rate limiting, you should consider going positive.
Rate limiting is an example of a ‘negative’ security model, which is based on identifying bad traffic and restricting it, while by default allowing everything else to go through.
In contrast, a positive security model is based on identifying legitimate traffic, and by default blocking everything that does not conform to it. Such defense mechanisms are usually based on behavior-based machine learning technologies, which can establish traffic baselines and build security policies to conform to them.
When it comes to defending your website against application-layer attacks such as HTTP floods and SSL-based DDoS attacks, you need defense mechanisms that can figure out on its own which traffic is legitimate, and which traffic is not, so you don’t have to resort to brute-force methods such as traffic rate limiting.
This way, you can ensure that traffic spikes are handled correctly, your website’s online shopping potential is maximized, and your company does not miss revenue as a result of legitimate users being blocked.
Read “Top 9 DDoS Threats Your Organization Must Be Prepared For” to learn more.
Eyal is a Product Marketing Manager in Radware’s security group, responsible for the company’s line of cloud security products, including Cloud WAF, Cloud DDoS, and Cloud Malware Protection. Eyal has extensive background in security, having served in the Israel Defense Force (IDF) at an elite technological unit. Prior to joining Radware, Eyal worked in Product Management and Product Marketing roles at a number of companies in the enterprise computing and security space, both on the small scale startup side, as well as large-scale corporate end, affording him a wide view of the industry. Eyal holds a BA in Management from the Interdisciplinary Center (IDC) Herzliya and a MBA from the UCLA Anderson School of Management.