5.2.5 Ensure rate limits by IP address are set

Information

Rate limiting should be enabled to limit the number of requests an IP address may make to a server in a given period of time. The configuration values should be set based on your application's needs and your organizational policy.

Rationale:

Rate limiting allows you to mitigate potential denial of service attacks as a defense in depth mechanism.

Impact:

If you serve a high traffic API, this may prevent users from being able to call your website. You may also limit users behind a corporate web proxy or a proxy service such as tor if they use your website heavily.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Implement the below directives under the HTTP and server blocks of your nginx configuration or any include files. The below configuration creates a memory zone of 10 megabytes called 'ratelimit' and sets the number of requests per second that can be sent by any given IP address to 5. Further, this configuration sets a burst of 10 to ensure that requests may come more frequently and sets no delay to ensure that the bursting may be all at once and not queued.

http {
limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=5r/s;
server {
location / {
limit_req zone=ratelimit burst=10 nodelay;
}
}
}

Default Value:

This is not set by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-3, CSCv7|18.1

Plugin: Unix

Control ID: cdbb521d5043ef9c281e8dc23438a67c78266ed8def4dab9a85fb68aa53908d0