vmod throttle xmlrpc protection does not work as expected

georgi.int at gmail.com georgi.int at gmail.com
Fri Apr 15 09:33:00 CEST 2016

I am using the following implementation to limit the attack to 
wp-login.php and xmlrpc.php, but when I test with apache benchmark (or 
there is an attack) from 1000 concurrent requests with the following 
configuration only 5 requests are failed from 1000 :

if ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
    if(throttle.is_allowed("host:" + req.http.host, "10req/s") > 0s) {
    error 429 "Calm down";

Is this a normal behavior and why so little number of requests is 
blocked? Is there an info that describe how these requests are handled 
and solution of this problem? If I set the throttle to 1 requests it 
works but this is super stupid and I can't understand why on 10 
requests/s limit the throttle does nothing. If I can't solve this issue 
I should change the varnish with something other so I will be really 
thankfull if you help with this.

More information about the varnish-misc mailing list