Rate limiting is a traffic control mechanism that restricts how many requests, packets, or connections a client (user, IP address, device, or bot) can make to a server, network resource, or website within a specific time period.
It acts like a digital traffic cop: it prevents any single source from overwhelming the system, ensuring fair access, protecting against abuse, and maintaining performance and availability.
Why It's Used
- Prevent overload: Stops servers or networks from being flooded (e.g., during traffic spikes or attacks).
- Mitigate attacks: Defends against DDoS (Distributed Denial of Service), brute-force login attempts, credential stuffing, and web scraping bots.
- Ensure fairness: Stops one user or bot from consuming all resources, allowing legitimate traffic to flow.
- Cost control: In cloud environments, it helps manage bandwidth, CPU, and API usage costs.
- Security & compliance: Limits automated abuse while allowing normal human or app behavior.
For TCP you can define:
- Per port, rate of connections from a single IP
- Maximum concurrent connections to the port (for all IPs)
For UDP
- Per port, rate of connections from a single IP
Note: Connections from localhost are automatically excluded from all rate limiting.
Configuration
First you will need to configure the ports to protect, the rate per port, and the maximum number of concurrent connections for each protected TCP port. The engine uses two files, one for TCP ports, one for UDP ports. The files are:
/var/awp/etc/firewall/rate-limit-tcp
/var/awp/etc/firewall/rate-limit-udp
TCP
The format for the /var/awp/etc/firewall/rate-limit-tcp file is one line, per port:
port:rate:time_period:time_window:max_concurrent_connectionsThe fields are:
- port: The port you want to limit connections to do, for example 80.
- rate: The maximum number of connections to allow from a single IP, within a specific period of time (defined in time_period and time_window)
- time_period: The time period to use. The following periods are support: seconds, minutes or hours. For example, "seconds".
- time_window: The amount of time for the period, for example 1.
- max_concurrent_connections: The total number of SYN connections allowed from all IPs.
Example:
80:10:seconds:2:100 443:5:seconds:5:10
In this example, the first line means:
- Port 80 is rate limited
- To 10 new connections, per every 2 seconds, from the same IP
- With no more than 100 SYN packets allowed in from all IPs
And the second line means:
- Port 443 is rate limited
- To 5 new connections, per every 5 seconds, from the same IP
- With no more than 10 SYN packets allowed in from all IPs
UDP
The format for the /var/awp/etc/firewall/rate-limit-udp file is one line, per port:
port:burst_limit:time_period:time_window- port: The port you want to limit connections to do, for example 80.
- burst_limit: The number of connections at which the limit is applied, any connections above this limit will be limited per the time_period/time_window settings below.
- time_period: The time period to use. The following periods are supported: second, minute or hour. For example, "second".
- time_window: The amount of time for the period, for example 1.
Important Note:
Example:
53:100:second:10 2049:100:minute:1
Note: UDP is connectionless, so there are no concurrent connections.
In this example, the first line means:
- Port 53 is rate limited
- Once 100 connections occur, limit connections to 10 per second.
And the second line means:
- Port 2049 is rate limited
- Once 100 connections occur, limit connections to 1 per second.
Enabling/Disabling
You can enable/disable this feature in the UI by navigating to Hub Configuration > Hub Configuration > Firewall > Rate Limit TCP and UDP connections