Implementing Rate Limiting

Public-facing sites are exposed to DoS attacks. If your Issuetrak site is public-facing, then you might want to mitigate the potential impact of such attacks by implementing rate limiting. 

You can directly utilize the IIS settings on your web server in order to implement rate limiting, or you can deploy your Issuetrak site with rate limiting by adjusting the site's JSON prior to the deployment of your site. Both methods ultimately utilize the IP and Domain Restrictions module in IIS to do the heavy lifting. This article deals with the direct IIS configuration method. 

Requirements

On the web server, you will need IP and Domain Restrictions installed. Within Server Roles, you can find it within Web Server (IIS) > Web Server > Security. Once installed, you may need to reboot. Afterwards, you can move on to configuring it in the next section.

IIS Configuration

Steps:

  1. Open IIS.
  2. From the Sites menu, click on the site that you want to implement rate limiting for. 
  3. From the list of modules and features, click on IP Address and Domain Restrictions.
  4. Click on Edit Dynamic Restriction Settings on the right menu.
  5. Check the box next to “Deny IP Address based on the number of requests over a period of time”.
  6. Populate the "Maximum number of requests" and "Time Period" fields with your desired values. You will want to tune these values to your site usage in order to ensure that you're not blocking legitimate traffic. 
    • As an example, if you want to start blocking traffic from any IP that sends 100 requests to the site within 60 seconds, then you'd enter a value of "100" for requests, combined with a time period (in milliseconds) of "60000". This is a fair baseline for most sites. You may want to adjust it downward to clamp traffic more aggressively.
  7. (Optional) To conduct a trial run of the rate limiting settings you just entered, you can check the box next to Enable Logging Only Mode
    1. This will log traffic that runs afoul of the rate limits you set, but it will not block that traffic. This can be a good idea if you want to profile your site traffic.  
    2. Site requests that are logged in this way will appear in the IIS log for the site as a status code 200, with a substatus code of 502.
  8. Click OK to save the settings you entered.
  9. Click Add Allow Entry
  10. In the Specific IP Address field, enter 127.0.0.1. This is necessary to allow the site's internal components to communicate with each other without interference from the rate limiting.
  11. Click OK.
  12. Repeat steps 10 and 11 for the web server's internal network IP, if desired.
  13. Repeat steps 10 and 11 for any load balancers or web server endpoints that might serve traffic to this web server.   

Afterwards, verify that you and the end users can get to the site without any problems. 

Was this article helpful?
Thank you for your feedback!
User Icon

Thank you! Your comment has been submitted for approval.

Related Articles

 Copyright © Issuetrak, Inc. All rights reserved.