By default, all API Security rules are set to allow and monitor all traffic. Distil won’t block any requests for any reason.
To create a new security rule:
- Click ADD NEW RULE (highlighted in red, above) on the Domain Security Settings page.
- Within the TRAFFIC SECURITY RULES section, enter the desired security rule name in the Rule Name field.
- Enter the Specific Path to Match (actual API URL).
Complete the RATE LIMITING section to set graduated usage thresholds for normal and abnormal activity. You can also assign specific actions when any user session surpasses those limits.
Using graduated API rate limiting, you can set automated multi-tiered actions to heighten the response level when API activity becomes abusive.
Set an initial threshold of Requests Per Minute to Monitor sessions that exceed 5 requests per minute so you can monitor heightened levels of activity, then Block sessions with more than 10 requests per minute (highlighted in red, above).
This sets a maximum amount of normal activity while blocking access once the activity becomes abusive.
Limit the number of Tokens Per IP.
Here, your company might have a pricing system based on the number of API uses or requests in an account. A client might create multiple accounts to avoid having to pay for additional requests. Set the security rule to Block traffic using more than one (1) Token Per IP, thereby blocking attempts to cycle through IPs while accessing your APIs.
Use the Access Control List to allow/deny all requests by IP Address, Country, Header, Organization, or Token.
Click Update Settings to save and apply your settings to the API path.