As a Notify owner, I need to be defend against malicious attacks. Services are allowed up to 3000 hits per minute on our API - more than that we invoke a rate limit. Now that we are past Covid, we can reduce this back to 1000.
WHY are we building?
Lowering our rate limit will lower the size of fuzzing attacks.
WHAT are we building?
See if we can lower the WAF rate limit for api. IT was set high because we allowed Health Canada to send at a higher than typical rate for the Get Updates on Covid 19 service, but that service has been retired.
Gather API requests by IP and determine if any services are nearing the current rate limits. If no, reduce the rate limit to a more acceptable number in-line with current metrics.
VALUE created by our solution
Security, Security, Security!
Potential cost savings due to lower activity on WAF.
Acceptance Criteria
[ ] Determine the max rate limit across current services
[ ] Lower the WAF rate limit to this + 10%
[ ] Create a script that saturates the API that can be run locally
QA Steps
[ ] Use the newly created script to send from your laptop and see where you get rate-limited
Description
As a Notify owner, I need to be defend against malicious attacks. Services are allowed up to 3000 hits per minute on our API - more than that we invoke a rate limit. Now that we are past Covid, we can reduce this back to 1000.
WHY are we building?
Lowering our rate limit will lower the size of fuzzing attacks.
WHAT are we building?
See if we can lower the WAF rate limit for api. IT was set high because we allowed Health Canada to send at a higher than typical rate for the Get Updates on Covid 19 service, but that service has been retired.
Gather API requests by IP and determine if any services are nearing the current rate limits. If no, reduce the rate limit to a more acceptable number in-line with current metrics.
VALUE created by our solution
Security, Security, Security! Potential cost savings due to lower activity on WAF.
Acceptance Criteria
QA Steps