Level 15 · Overwhelmed
WAF VS RATE LIMITER

Stage 4 · WAF vs Rate Limiter · DDoS Mitigation · Filter Strength

Overwhelmed

Bot Flood's attacker is back with a botnet ten times the size. Whatever filtered through last time isn't cutting it — the leaked traffic alone is enough to bury your origin. A rough volumetric shield was fine before; this flood needs tighter inspection at the edge.

Requirements

Functional

  • ·Legitimate customers stay served through a much larger botnet attack than before

Non-functional

  • ·~2,500 requests/sec total
  • ·96% malicious
  • ·p99 latency ≤ 250ms under fire
  • ·availability ≥ 97% for legitimate users

Constraints

  • ·Budget: $10/hr or less
  • ·It's not enough for the filter to block most attackers — what leaks through must itself stay under the origin's real capacity

Out of scope

  • ·IP-reputation lists
  • ·Custom WAF rule authoring

TrafficRequests per second — the rate of incoming traffic this level throws at your system.

~2500 r/s · read-heavy
90% reads · 10% writesWhat fraction of requests are reads (fetches) vs writes (updates) — this decides which components sit on the hot path.· 96% bot trafficMalicious/automated requests mixed into normal traffic. They never get cache hits, and only count against you if they get through — a WAF or rate limiter can filter them out.

Win conditions

  • p99 latency99% of requests finish at or under this time — a stricter tail-latency bar than p95 that catches worst-case slowness.≤ 250ms
  • availabilityThe share of legitimate requests that succeeded, out of everything sent your way. 99% still means 1 in 100 users saw an error.≥ 97%
  • throughputHow many requests per second your system actually completed — not requested, completed.≥ 90 r/s
  • error rateThe share of requests that failed outright: timeouts, drops, or capacity overload.≤ 3%
  • costWhat your architecture costs to run per hour, based on the instances and components you've wired up.≤ $10/hr
Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

Drag components from the right → connect their handles → Run.

Drag onto canvas

Components

Client

ClientWhere traffic originates.

Compute

API GatewayFront door — the app tier requests pass through.
500 r/s · 20ms · $2/hr
BackendA second compute tier for heavier processing.
350 r/s · 25ms · $2/hr

Storage

SQL DatabaseRelational store. Durable, but the lowest throughput.
200 r/s · 50ms · $3/hr
NoSQL DB3× the throughput of SQL — at a premium. Pay for it only when the load demands it.
600 r/s · 30ms · $4/hr
Redis CacheIn-memory read-cache — absorbs repeated reads. Useless for writes.
5000 r/s · 3ms · $2/hr
Read ReplicaRead-only copy of the primary — scales reads past the primary's own ceiling.
200 r/s · 55ms · $3/hr
DB StandbyHot backup that takes over only when the primary fails.
200 r/s · 50ms · $3/hr

Networking

CDNEdge read-cache — serves content near the user.
50000 r/s · 5ms · $1/hr
Load BalancerManaged, premium front door — highest ceiling, lowest latency, costs more.
10000 r/s · 2ms · $2/hr
Reverse ProxyCheaper self-hosted front door — lower ceiling, the smart buy under 8,000 r/s.
8000 r/s · 3ms · $1/hr

Messaging

QueueACKs writes instantly, drains them to storage — absorbs bursts, not sustained overload.
8000 r/s · 8ms · $1/hr

Security

WAFInspects requests — blocks ~95% of attack traffic at the edge.
20000 r/s · 3ms · $1/hr
Rate LimiterVolumetric shield — blocks ~80% of abusive traffic, barely any latency.
20000 r/s · 1ms · $1/hr