Volumetric Abuse Detection
Cloudflare Volumetric Abuse Detection helps you set up a system of adaptive rate limiting.
For example, your API might see different levels of traffic to a
/reset-password endpoint than a
/login endpoint. Additionally, your
/login endpoint might see higher than average traffic after a successful marketing campaign.
These two scenarios speak to the limitations of traditional rate limiting. Not only does traffic vary between endpoints, but it also can vary over time for the same endpoint. Volumetric Abuse Detection solves these problems with unsupervised learning to develop separate baselines for each API and better adjust to changes in user behavior.
Volumetric Abuse Detection rate limits are generated on a per-session basis. Unlike traditional rate limits, which are based on IP addresses, Volumetric Abuse Detection rate limits are not as susceptible to false positives when traffic to your API increases.
Volumetric Abuse Detection rate limits are a way to prevent blatant volumetric abuse while minimizing false positives. If you are trying to prevent abusive bot traffic altogether, refer to Cloudflare’s .
Volumetric Abuse Detection analyzes your API’s individual session traffic statistics to recommend per-endpoint, per-session rate limits.
After adding a session identifier, allow 24 hours for rate limit recommendations to appear on endpoints in Security > API Shield > Endpoint Management on the Cloudflare dashboard. Recommendations will continue to update if your traffic pattern changes
Observe rate limits
Once rate limit recommendations appear in Endpoint Management, select the endpoint row to view more detail about the recommendation. You will see the overall recommended rate limit value, as well as p99, p90, and p50 rate limit values.
Cloudflare recommends choosing the overall rate limit recommendation, as our analysis includes the variance of the request rate distribution across your API sessions. Choosing a single p-value may cause false positives due to a high number of outliers.
In Endpoint Management, you can review our confidence in the recommendation and how many unique sessions we have seen over the last seven (7) days. In general, endpoints with fewer unique sessions and high variability of user behavior will have lower confidence scores.
Create rate limits
To create rate limits:
- Log in to the , and select your account and domain.
- Go to Security > API Shield.
- In Endpoint Management, select an endpoint.
- Select Create rule to be automatically redirected to the rules dashboard.
- Give your rule a name, action, and duration.
- Select Deploy to activate your rule.
Volumetric Abuse Detection is only available for Enterprise customers. If you are an Enterprise customer and interested in this product, contact your account team.