DEV Community: Bhavy Yadav The latest articles on DEV Community by Bhavy Yadav (@bhavyyadav25). https://dev.to/bhavyyadav25 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F389390%2Fd6a668be-2936-46d2-92ae-7978d9673379.png DEV Community: Bhavy Yadav https://dev.to/bhavyyadav25 en Fixed Window, Leaky Bucket, Sliding Window: I Used All Three in a Production WAF. Here's Where Each One Broke. Bhavy Yadav Tue, 02 Jun 2026 15:56:42 +0000 https://dev.to/bhavyyadav25/fixed-window-leaky-bucket-sliding-window-i-used-all-three-in-a-production-waf-heres-where-each-3o84 https://dev.to/bhavyyadav25/fixed-window-leaky-bucket-sliding-window-i-used-all-three-in-a-production-waf-heres-where-each-3o84 <p>I was scrolling through access logs at 2 AM — not because an alert fired, but because something about the traffic shape I'd glanced at before bed felt wrong. The WAF was running. All counters looked healthy. Then I filtered by endpoint, and the login route told a different story: 4,300 credential stuffing attempts in the past hour, spread across 58 source IPs, every single one of them under my per-IP fixed window threshold. The attack had been running for hours. My rate limiter had never once fired.</p> <p>That was the night I stopped thinking about rate limiting as a solved problem.</p> <p>I built this WAF from scratch — started with NGINX and ModSecurity as the backbone, then migrated the core request pipeline to Go when the rule evaluation latency from ModSecurity became unacceptable. At peak, the system handles around 8,000 requests per second across the sites it protects. Not hyperscale, but enough that naive algorithm choices will hurt you in very specific and instructive ways.</p> <p>I've run fixed window, sliding window, and leaky bucket in production. Each one failed differently. None of them failed the way I expected from reading about them.</p> <h2> Rate Limiting Is Not the Problem It Looks Like </h2> <p>The interview version: <em>"Increment a counter. If it exceeds N, return 429."</em> Two Redis calls. Done.</p> <p>The production version: your WAF runs on multiple nodes behind a load balancer. Rate limit state is either local — in which case your effective limit per identity is <code>N × node_count</code>, and an attacker who hits all nodes gets 3x or 5x the throttle you intended — or it's centralized in Redis, in which case you've just made Redis a mandatory dependency on every single request. Under active attack, when you need rate limiting most, Redis is also under the highest load it will ever see.</p> <p>The latency constraint bites immediately. My self-imposed budget for the entire WAF pipeline — IP reputation check, rate limit, header inspection, rule engine — was 5ms added latency. Redis round trips run 0.4-0.8ms under normal load. Under attack, with key contention, I've seen them hit 6ms on their own. The rate limiter alone can blow the entire latency budget the moment traffic spikes.</p> <p>Then there's the false positive problem, which nobody talks about enough because it's not exciting. A false positive in a WAF doesn't generate a security incident. It generates a legitimate user getting a 429 they don't understand, giving up, and not coming back. False negatives get you breached. False positives just quietly erode whatever you're protecting. You will have both, and the people who care about each one have zero overlap.</p> <p>That's the context. Now here's what actually broke.</p> <h2> Fixed Window: Fast, Debuggable, and Exploitable by Anyone Who Can Read a Clock </h2> <p>I started with fixed window because the implementation is essentially free:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">fw</span> <span class="o">*</span><span class="n">FixedWindowLimiter</span><span class="p">)</span> <span class="n">Allow</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">key</span> <span class="kt">string</span><span class="p">,</span> <span class="n">limit</span> <span class="kt">int64</span><span class="p">,</span> <span class="n">window</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">)</span> <span class="p">(</span><span class="kt">bool</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">windowSize</span> <span class="o">:=</span> <span class="kt">int64</span><span class="p">(</span><span class="n">window</span><span class="o">.</span><span class="n">Seconds</span><span class="p">())</span> <span class="n">bucketKey</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%s:%d"</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">Unix</span><span class="p">()</span><span class="o">/</span><span class="n">windowSize</span><span class="p">)</span> <span class="n">pipe</span> <span class="o">:=</span> <span class="n">fw</span><span class="o">.</span><span class="n">redis</span><span class="o">.</span><span class="n">Pipeline</span><span class="p">()</span> <span class="n">incr</span> <span class="o">:=</span> <span class="n">pipe</span><span class="o">.</span><span class="n">Incr</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">bucketKey</span><span class="p">)</span> <span class="n">pipe</span><span class="o">.</span><span class="n">Expire</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">bucketKey</span><span class="p">,</span> <span class="n">window</span><span class="o">+</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">pipe</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">true</span><span class="p">,</span> <span class="n">err</span> <span class="c">// fail open — debatable, but my threat model allowed it</span> <span class="p">}</span> <span class="k">return</span> <span class="n">incr</span><span class="o">.</span><span class="n">Val</span><span class="p">()</span> <span class="o">&lt;=</span> <span class="n">limit</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Two pipelined Redis calls. O(1) storage per identity per window. The counter is a plain integer — you can inspect it with <code>redis-cli GET</code> at any time without understanding anything about the system. I liked how debuggable it was.</p> <p>The problem is the boundary. A fixed window resets on a schedule — top of the minute, top of the hour, whatever you pick. That reset time is observable. Any attacker watching <code>X-RateLimit-Reset</code> headers knows exactly when it happens.</p> <p>Here's the 58-IP attack that ran through my WAF undetected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Window: 60 seconds Limit: 100 req/min per IP T=58.2s → 35 requests from IP A (window 1 total: 35) T=59.1s → 65 requests from IP A (window 1 total: 100) ← at limit ────────── WINDOW RESETS ────────── T=60.0s → 80 requests from IP A (window 2 total: 80) ← fresh counter T=60.4s → 20 requests from IP A (window 2 total: 100) ← at limit again 200 requests in 2.2 seconds. Intended limit: 100 per 60 seconds. </code></pre> </div> <p>Each window looks correct in isolation. 100 in window 1, 100 in window 2. My monitoring was alerting on sustained violations — counters that stayed pegged at the limit across multiple consecutive windows. This attack never triggered that alert because each window had a gap. The burst was entirely invisible.</p> <p>Across 58 IPs all doing the same thing, that's 11,600 credential stuffing attempts in a 2-second window. The backend database handled 200 bcrypt comparisons that second. That's what woke it up in the logs.</p> <p>I added a parallel 5-second burst counter after this. <code>&lt;your_ip&gt;:burst:&lt;epoch/5&gt;</code>. It fires a separate alert if any IP exceeds 30 requests in a 5-second window, regardless of what the per-minute window says. The fix was not replacing fixed window — it was accepting that fixed window alone is incomplete and adding what it's missing.</p> <p>Fixed window is fine for coarse limits where boundary bursts don't create exploitable gaps: ingress byte caps, background job throttling, anything where 2x the intended rate for 2 seconds doesn't matter. On an authentication endpoint, it's the wrong tool.</p> <h2> Sliding Window: The Right Algorithm With a Memory Problem I Should Have Calculated First </h2> <p>After the fixed window incident, I switched login and payment endpoints to sliding window log. Store every request timestamp in a Redis sorted set, prune entries older than the window on each check, count what's left.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">sw</span> <span class="o">*</span><span class="n">SlidingWindowLog</span><span class="p">)</span> <span class="n">Allow</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">key</span> <span class="kt">string</span><span class="p">,</span> <span class="n">limit</span> <span class="kt">int64</span><span class="p">,</span> <span class="n">window</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">)</span> <span class="p">(</span><span class="kt">bool</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">now</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span> <span class="n">cutoff</span> <span class="o">:=</span> <span class="n">strconv</span><span class="o">.</span><span class="n">FormatInt</span><span class="p">(</span><span class="n">now</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="o">-</span><span class="n">window</span><span class="p">)</span><span class="o">.</span><span class="n">UnixMicro</span><span class="p">(),</span> <span class="m">10</span><span class="p">)</span> <span class="n">nowScore</span> <span class="o">:=</span> <span class="kt">float64</span><span class="p">(</span><span class="n">now</span><span class="o">.</span><span class="n">UnixMicro</span><span class="p">())</span> <span class="n">pipe</span> <span class="o">:=</span> <span class="n">sw</span><span class="o">.</span><span class="n">redis</span><span class="o">.</span><span class="n">Pipeline</span><span class="p">()</span> <span class="n">pipe</span><span class="o">.</span><span class="n">ZRemRangeByScore</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="s">"0"</span><span class="p">,</span> <span class="n">cutoff</span><span class="p">)</span> <span class="n">count</span> <span class="o">:=</span> <span class="n">pipe</span><span class="o">.</span><span class="n">ZCard</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span> <span class="n">pipe</span><span class="o">.</span><span class="n">ZAdd</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">redis</span><span class="o">.</span><span class="n">Z</span><span class="p">{</span><span class="n">Score</span><span class="o">:</span> <span class="n">nowScore</span><span class="p">,</span> <span class="n">Member</span><span class="o">:</span> <span class="n">now</span><span class="o">.</span><span class="n">UnixNano</span><span class="p">()})</span> <span class="n">pipe</span><span class="o">.</span><span class="n">Expire</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">window</span><span class="o">+</span><span class="n">time</span><span class="o">.</span><span class="n">Second</span><span class="p">)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">pipe</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">true</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">count</span><span class="o">.</span><span class="n">Val</span><span class="p">()</span> <span class="o">&lt;</span> <span class="n">limit</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>No boundary exploits. Accurate count at any point in time. I felt good about this.</p> <p>Then a scrapers' botnet hit one of the news sites I was protecting, and I did the memory math I should have done before deploying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Active unique IPs during the attack: ~180,000 Max timestamps stored per IP: 600 (the req/min limit) Redis sorted set overhead per entry: ~128 bytes 180,000 × 600 × 128 bytes = ~13.8 GB </code></pre> </div> <p>My Redis instance had 4GB. At around 60% capacity Redis started making eviction decisions I had not planned for. When a rate limit key gets evicted, the counter resets. An attacker whose key gets evicted effectively gets a clean slate. The scraper was generating enough distinct source IPs that key eviction was happening continuously — their effective rate limit was functionally nonexistent during peak attack traffic, which was the exact moment I most needed it to work.</p> <p><code>ZREMRANGEBYSCORE</code> + <code>ZCARD</code> + <code>ZADD</code> is also three operations per request, versus one <code>INCR</code> for fixed window. Under attack, three operations per request across hundreds of thousands of concurrent IPs is a non-trivial Redis throughput multiplier.</p> <p>The version I ended up running is the sliding window counter — an approximation that uses two adjacent fixed window buckets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">sw</span> <span class="o">*</span><span class="n">SlidingWindowCounter</span><span class="p">)</span> <span class="n">Allow</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">key</span> <span class="kt">string</span><span class="p">,</span> <span class="n">limit</span> <span class="kt">int64</span><span class="p">,</span> <span class="n">window</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span><span class="p">)</span> <span class="p">(</span><span class="kt">bool</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">windowSecs</span> <span class="o">:=</span> <span class="kt">int64</span><span class="p">(</span><span class="n">window</span><span class="o">.</span><span class="n">Seconds</span><span class="p">())</span> <span class="n">now</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">Unix</span><span class="p">()</span> <span class="n">currentSlot</span> <span class="o">:=</span> <span class="n">now</span> <span class="o">/</span> <span class="n">windowSecs</span> <span class="n">prevSlot</span> <span class="o">:=</span> <span class="n">currentSlot</span> <span class="o">-</span> <span class="m">1</span> <span class="c">// How far through the current window are we? 0.0 at start, 1.0 at end</span> <span class="n">position</span> <span class="o">:=</span> <span class="kt">float64</span><span class="p">(</span><span class="n">now</span><span class="o">%</span><span class="n">windowSecs</span><span class="p">)</span> <span class="o">/</span> <span class="kt">float64</span><span class="p">(</span><span class="n">windowSecs</span><span class="p">)</span> <span class="n">currentKey</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%s:%d"</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">currentSlot</span><span class="p">)</span> <span class="n">prevKey</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%s:%d"</span><span class="p">,</span> <span class="n">key</span><span class="p">,</span> <span class="n">prevSlot</span><span class="p">)</span> <span class="n">pipe</span> <span class="o">:=</span> <span class="n">sw</span><span class="o">.</span><span class="n">redis</span><span class="o">.</span><span class="n">Pipeline</span><span class="p">()</span> <span class="n">getCurrent</span> <span class="o">:=</span> <span class="n">pipe</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">currentKey</span><span class="p">)</span> <span class="n">getPrev</span> <span class="o">:=</span> <span class="n">pipe</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">prevKey</span><span class="p">)</span> <span class="n">pipe</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="n">current</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">getCurrent</span><span class="o">.</span><span class="n">Int64</span><span class="p">()</span> <span class="n">prev</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">getPrev</span><span class="o">.</span><span class="n">Int64</span><span class="p">()</span> <span class="c">// Weight the previous window based on how much of it falls in our sliding window</span> <span class="n">weighted</span> <span class="o">:=</span> <span class="kt">float64</span><span class="p">(</span><span class="n">prev</span><span class="p">)</span><span class="o">*</span><span class="p">(</span><span class="m">1.0</span><span class="o">-</span><span class="n">position</span><span class="p">)</span> <span class="o">+</span> <span class="kt">float64</span><span class="p">(</span><span class="n">current</span><span class="p">)</span> <span class="k">if</span> <span class="n">weighted</span> <span class="o">&gt;=</span> <span class="kt">float64</span><span class="p">(</span><span class="n">limit</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="n">pipe2</span> <span class="o">:=</span> <span class="n">sw</span><span class="o">.</span><span class="n">redis</span><span class="o">.</span><span class="n">Pipeline</span><span class="p">()</span> <span class="n">pipe2</span><span class="o">.</span><span class="n">Incr</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">currentKey</span><span class="p">)</span> <span class="n">pipe2</span><span class="o">.</span><span class="n">Expire</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">currentKey</span><span class="p">,</span> <span class="n">window</span><span class="o">*</span><span class="m">2</span><span class="p">)</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">pipe2</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="k">return</span> <span class="n">err</span> <span class="o">==</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> </code></pre> </div> <p>Two integer keys per identity, regardless of traffic volume. Error rate is around 0.4% at window boundaries — there's a small zone where the interpolation overestimates or underestimates the true count. For a security rate limiter, I accepted that tradeoff. For something financial, you probably can't.</p> <p>The sliding window log is the right algorithm when you have a small number of identities and need exact counts. If you're running it on raw source IPs during any kind of bot traffic, do the memory math before you deploy it.</p> <h2> Leaky Bucket: Where I Blocked Legitimate Users and Didn't Immediately Know Why </h2> <p>Before I rewrote the WAF in Go, I was running NGINX with <code>ngx_limit_req</code>. NGINX's rate limiting is leaky bucket. I didn't choose it — it was the only option the module gave me.</p> <p>Leaky bucket models a queue with a drain rate. Traffic enters at any rate, leaves at a constant rate. If the queue fills, excess is either delayed or dropped. For protecting a fragile backend from traffic spikes, it genuinely works well.</p> <p>The failure case is what legitimate traffic looks like.</p> <p>One of the sites I was protecting had a mobile app with decent usage — maybe 30,000 active users. Mobile users lose connectivity constantly. Subway, elevator, spotty 4G in a rural area. When they reconnect, the app retries whatever it was trying to send. If they lost connectivity for 30 seconds while the app was making periodic API calls, reconnection triggers three or four requests in under a second.</p> <p>From the leaky bucket's perspective: burst of 4 requests with 200ms spacing from an IP that was quiet for 30 seconds. No burst credit for the quiet period. If the queue is already at capacity from other traffic, these 4 requests get dropped.</p> <p>The users weren't sending error reports because the app silently retried. I noticed it because app engagement metrics were lower than expected for certain times of day — specifically peak commute hours, when users were moving in and out of underground transit. The "drop rate" I was seeing was legitimate mobile reconnects getting shed by the queue.</p> <p>Leaky bucket optimizes for smooth output at the cost of bursty-but-legitimate input. It doesn't model how real users behave — people don't make API calls at a metronomic rate. A well-tuned attacker running a slow crawl has smoother traffic than a real mobile user. The algorithm punishes the user and rewards the patient attacker.</p> <p>I kept NGINX's <code>ngx_limit_req</code> for one specific purpose: coarse traffic shaping before requests reach the Go process. A 2,000 req/s per-IP hard cap with a generous burst parameter (burst=500, nodelay). This protects the Go process from single-source floods without doing any policy enforcement. The policy — who actually gets blocked and why — lives in the Go middleware with sliding window counter.</p> <h2> Searching for the Best Algorithm Is the Wrong Question </h2> <p>Every few months I see a blog post that compares these algorithms and concludes one of them is best. The conclusion is always wrong, because the algorithm that's right depends on what you're trying to stop, at what traffic volume, with what latency budget, and what your false positive tolerance is.</p> <p>Credential stuffing is patient and distributed. Attackers stay well under per-IP limits intentionally. No single-identity rate limiter catches it — you need cross-IP correlation, behavioral signals, per-endpoint limits that make even sub-limit sustained attempts expensive. A leaky bucket set up to smooth traffic does nothing against this.</p> <p>A volumetric DDoS doesn't care about your per-minute limits. You need to shed traffic at the kernel level before it touches application code. eBPF at the XDP hook drops packets at line rate before the TCP stack processes them. Sliding window counter accuracy is irrelevant here — you need throughput, not precision.</p> <p>API abuse from residential proxies — a competitor scraping your pricing, a research firm harvesting your public data — operates at a few requests per minute per IP. Per-identity rate limiting sees nothing. You need aggregate behavior analysis: same user-agent across thousands of IPs, consistent URL patterns, request timing that's too regular to be human.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Algorithm</th> <th>Boundary Safety</th> <th>Memory</th> <th>Redis Ops/req</th> <th>Best use</th> <th>Breaks on</th> </tr> </thead> <tbody> <tr> <td>Fixed Window</td> <td>✗ exploitable</td> <td>O(1)</td> <td>1</td> <td>Coarse ingress caps</td> <td>Auth/payment endpoints</td> </tr> <tr> <td>Sliding Window Log</td> <td>✓ exact</td> <td>O(limit × IDs)</td> <td>3</td> <td>Low-volume sensitive endpoints</td> <td>Bot traffic with many IPs</td> </tr> <tr> <td>Sliding Window Counter</td> <td>✓ ~99.6%</td> <td>O(IDs)</td> <td>2 + 2</td> <td>General API rate limiting</td> <td>Hard financial accuracy</td> </tr> <tr> <td>Leaky Bucket</td> <td>N/A (shaping)</td> <td>O(queue)</td> <td>N/A</td> <td>Backend protection</td> <td>Bursty legitimate users</td> </tr> <tr> <td>Token Bucket</td> <td>✓</td> <td>O(IDs)</td> <td>2</td> <td>APIs with burst allowance</td> <td>DDoS mitigation</td> </tr> </tbody> </table></div> <p>The mistake is picking one and calling it done.</p> <h2> What I Actually Run </h2> <p>Four layers. Each one independently simple. Complexity in the composition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────┐ │ INTERNET │ └──────────────────┬──────────────────────────┘ │ ┌──────────────────▼──────────────────────────┐ │ LAYER 1 — eBPF/XDP │ │ Fixed window: 10K req/s hard cap per IP │ │ Drops at NIC before kernel TCP stack │ │ Blocklist from Kafka consumer (30s lag) │ └──────────────────┬──────────────────────────┘ │ ┌──────────────────▼──────────────────────────┐ │ LAYER 2 — NGINX ngx_limit_req │ │ Leaky bucket: 500 req/s per IP, burst=200 │ │ Traffic shaping only — no policy │ │ Node-local state, zero Redis dependency │ └──────────────────┬──────────────────────────┘ │ ┌──────────────────▼──────────────────────────┐ │ LAYER 3 — Go WAF middleware │ │ Sliding window counter (Redis-backed) │ │ Per-IP + per-session + per-API-key │ │ Auth endpoints: 5 req/min, no exceptions │ │ In-process cache for hot keys, 100ms sync │ └──────────────────┬──────────────────────────┘ │ ┌──────────────────▼──────────────────────────┐ │ LAYER 4 — Kafka telemetry (off hot path) │ │ Every decision emitted as event │ │ Consumer correlates across IPs/sessions │ │ Pushes back to Layer 1 blocklist │ └─────────────────────────────────────────────┘ </code></pre> </div> <p>Layer 1 handles volumetric attacks. eBPF at XDP processes packets before the kernel network stack — a tight fixed window at 10,000 req/s per IP, which no legitimate source ever hits, implemented as a BPF hash map. Packets matching the blocklist or exceeding the cap get <code>XDP_DROP</code> returned before a single socket buffer is allocated. The performance difference versus application-layer dropping is significant: XDP runs at ~2M pps on modest hardware; getting the same traffic to the Go process would saturate it.</p> <p>Layer 2 is NGINX doing traffic shaping. I'm not trying to make policy decisions here — just preventing a single source from landing 8,000 req/s on the Go process. The burst parameter is generous (200) specifically because I burned legitimate mobile users with a tight leaky bucket before. NGINX handles this without touching Redis.</p> <p>Layer 3 is where rate limit policy actually happens. Sliding window counter in Go, Redis-backed. Every identity type gets its own key namespace: <code>rl:ip:</code>, <code>rl:user:</code>, <code>rl:session:</code>, <code>rl:apikey:</code>. Different limits per endpoint class — a public API endpoint gets 600 req/min, a login endpoint gets 5 req/min with no burst, a password reset endpoint gets 3 per hour per user. The tiering exists because "rate limiting" is not one policy, it's many policies layered on the same infrastructure.</p> <p>One practical problem: some API keys are legitimate high-volume clients generating thousands of requests per minute. All their requests map to the same Redis key. At volume, that single key can saturate the Redis CPU for its shard — Redis is single-threaded per core per shard, and a hot key is a ceiling you'll hit before memory becomes an issue. My fix was local counter caching in the Go process: maintain an in-memory counter, sync to Redis every 100ms. This reduces Redis ops by roughly 50-100x for hot keys. The accuracy cost is ±100ms on the limit enforcement, which is acceptable for API key throttling and completely unacceptable for authentication endpoints where I need exact counts.</p> <p>Layer 4 is Kafka. Every rate limit decision — allowed, warned, blocked — gets emitted as a structured event asynchronously. It does not touch the request path. A Go consumer reads the stream and looks for patterns individual layers can't see: IPs clustering near the limit without hitting it (scanning), identical user-agents across thousands of distinct source IPs (coordinated botnet), session tokens that seem to travel geographically faster than physics allows. When confidence is high enough, it pushes the offending identities to a Redis set that Layer 1 reads every 30 seconds and translates into XDP blocklist entries.</p> <p>The 30-second lag between detection and enforcement is real and intentional. I'd rather have 30 seconds of exposure with high-confidence blocks than 0 seconds of exposure with an aggressive heuristic that starts blocking legitimate traffic. The eBPF layer catches volumetric attacks immediately. The Kafka consumer catches the slow, distributed, low-signal attacks. They cover different threat models.</p> <p>This architecture evolved over about a year and a half of the WAF running against real traffic. It was not designed this way. I started with just fixed window in Go, added sliding window counter after the credential stuffing incident, added the eBPF layer after a volumetric attack saturated the Go process, added Kafka telemetry after noticing slow distributed scraping that none of the per-identity limiters caught.</p> <p>Each layer was added reactively, after something broke. I'd design it this way from the start now, but I wouldn't have known to without having run the earlier, simpler versions until they failed.</p> <h2> What to Actually Build and When </h2> <p><strong>If you're starting from zero:</strong> sliding window counter in Redis, applied to authentication endpoints with a tight limit and everything else with a loose one. Do not start with leaky bucket unless traffic shaping is your actual goal. Do not start with fixed window on anything where a boundary burst creates a security gap. The sliding window counter implementation above is around 50 lines of Go and handles most cases correctly.</p> <p><strong>When Redis starts hurting:</strong> the signal is rate limit check latency climbing at p99, or Redis CPU staying above 60% under normal load. Before redesigning, add local counter caching with Redis sync. Cheap to implement, handles hot key scenarios, keeps the rest of the architecture unchanged. This buys significant headroom.</p> <p><strong>On eBPF:</strong> don't reach for XDP until you have a clear volumetric problem and you're comfortable debugging kernel-space code. An eBPF bug that passes the verifier but has a logic error can do things you cannot recover from without a reboot. The performance gain is real — moving packet drops from the Go process to the NIC makes a measurable difference once you're getting hit with hundreds of thousands of packets per second. The operational cost is also real.</p> <p><strong>On authentication endpoints:</strong> they deserve their own rate limit config, separate from everything else, with limits 10x tighter than your general API. A 600 req/min API limit that you accidentally apply to your login endpoint lets an attacker run 36,000 credential stuffing attempts per hour per IP. Five requests per minute on login makes credential stuffing economically unviable. Three requests per minute is better. The number of legitimate users who need to attempt login more than 5 times per minute is zero.</p> <p><strong>On 429 responses:</strong> they need a <code>Retry-After</code> header, a request ID the user can reference, and a message that doesn't say "rate limit exceeded" to an end user who has no idea what that means. This sounds like product work and not worth engineering time. It is worth engineering time. Unexplained 429s generate support tickets that take longer to resolve than writing the <code>Retry-After</code> header would have taken.</p> <h2> What Still Breaks </h2> <p>The hybrid setup catches the attacks it's been designed to catch. It does not catch everything.</p> <p>Six months ago, an actor was rotating API session tokens every 300-400 requests — specifically tuned to stay under per-session limits while exceeding the per-endpoint total rate I actually cared about. The rotation was fast enough that no individual token triggered a block. The Kafka consumer eventually flagged the pattern: thousands of short-lived tokens all following the same URL sequence, all from the same three ASNs. By the time the block deployed, the actor had been running for 11 days.</p> <p>The lesson from that isn't "build a better heuristic." It's that any fixed rule set has a bypass if the attacker has enough signal about your rules. The adaptive detection layer — Kafka consumer plus behavioral analysis — is the part that closes unknown-unknown attack patterns. It needs to be running before you need it.</p> <p>Rate limiting is not a problem you solve. It's a system you tune against an adversary who is also tuning against you. Every algorithm I've described has a bypass. The goal is making the bypass expensive enough that the attacker moves on.</p> <p><em>Backend engineer. Go, security infrastructure, distributed systems. WAF project on GitHub: <a href="https://github.com/bhavyyadav25" rel="noopener noreferrer">bhavyyadav25</a>. Portfolio: <a href="https://bhavyyadav25.github.io" rel="noopener noreferrer">bhavyyadav25.github.io</a>. Email: <a href="mailto:yadavbhavy25@gmail.com">yadavbhavy25@gmail.com</a></em></p> go webdev programming security What Happens in 2 Milliseconds: Anatomy of a Single HTTP Request Through a Production WAF Bhavy Yadav Sun, 31 May 2026 00:14:29 +0000 https://dev.to/bhavyyadav25/what-happens-in-2-milliseconds-anatomy-of-a-single-http-request-through-a-production-waf-4bcm https://dev.to/bhavyyadav25/what-happens-in-2-milliseconds-anatomy-of-a-single-http-request-through-a-production-waf-4bcm <p>The rule engine is not the hard part. Everyone builds a rule engine. The hard part is deciding what order the checks run in — because the difference between a hash map lookup and a regex match is two orders of magnitude, and you're doing this on every single request.</p> <p>Six-stage pipeline. Production. 50+ client websites, 100K+ daily requests. I'll trace one request through all of it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">http </span><span class="nf">POST</span> <span class="nn">/api/login</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">client-website.com</span> <span class="na">User-Agent</span><span class="p">:</span> <span class="s">python-requests/2.28.0</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">X-Forwarded-For</span><span class="p">:</span> <span class="s">185.220.101.45</span> <span class="na">{"username"</span><span class="p">:</span><span class="s">"admin' OR '1'='1' --","password":"anything"}</span> </code></pre> </div> <p>Four problems: Tor exit node IP, automation library User-Agent, no Accept header, SQL injection payload. It gets blocked at stage 4. But all six stages matter.</p> <h2> The Pipeline </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">RequestContext</span><span class="p">{</span> <span class="n">IP</span><span class="o">:</span> <span class="n">extractIP</span><span class="p">(</span><span class="n">r</span><span class="p">),</span> <span class="n">Start</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">(),</span> <span class="p">}</span> <span class="c">// Stage 1: IP reputation — cheapest check, runs first</span> <span class="n">ipScore</span> <span class="o">:=</span> <span class="n">waf</span><span class="o">.</span><span class="n">reputation</span><span class="o">.</span><span class="n">Score</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">IP</span><span class="p">)</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">+=</span> <span class="n">ipScore</span> <span class="k">if</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">&gt;=</span> <span class="m">100</span> <span class="p">{</span> <span class="n">waf</span><span class="o">.</span><span class="n">block</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Code</span><span class="o">:</span> <span class="m">403</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="s">"blocklist"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Stage 2: Rate limiting</span> <span class="k">if</span> <span class="n">allowed</span> <span class="o">:=</span> <span class="n">waf</span><span class="o">.</span><span class="n">limiter</span><span class="o">.</span><span class="n">Allow</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">IP</span><span class="p">);</span> <span class="o">!</span><span class="n">allowed</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">+=</span> <span class="m">25</span> <span class="n">ctx</span><span class="o">.</span><span class="n">RateLimited</span> <span class="o">=</span> <span class="no">true</span> <span class="p">}</span> <span class="c">// Stage 3: Header inspection</span> <span class="n">headerScore</span><span class="p">,</span> <span class="n">hardBlock</span> <span class="o">:=</span> <span class="n">waf</span><span class="o">.</span><span class="n">inspectHeaders</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">+=</span> <span class="n">headerScore</span> <span class="k">if</span> <span class="n">hardBlock</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">waf</span><span class="o">.</span><span class="n">block</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Code</span><span class="o">:</span> <span class="m">400</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="n">hardBlock</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Stage 4: Rule engine — most expensive, runs last</span> <span class="n">body</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Body</span> <span class="o">=</span> <span class="n">io</span><span class="o">.</span><span class="n">NopCloser</span><span class="p">(</span><span class="n">bytes</span><span class="o">.</span><span class="n">NewReader</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span> <span class="o">=</span> <span class="n">waf</span><span class="o">.</span><span class="n">rules</span><span class="o">.</span><span class="n">Evaluate</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="c">// Stage 5: Decision</span> <span class="k">if</span> <span class="n">d</span> <span class="o">:=</span> <span class="n">waf</span><span class="o">.</span><span class="n">decide</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">d</span><span class="o">.</span><span class="n">Block</span> <span class="p">{</span> <span class="n">waf</span><span class="o">.</span><span class="n">block</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">d</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">next</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Cheap checks first, expensive last. If IP reputation kills the request, the rule engine never runs. At 100K req/day that ordering shows up measurably in CPU.</p> <h2> Stage 1: IP Reputation [0ms → 0.2ms] </h2> <p>Three data structures, all in memory, all O(1):</p> <ul> <li> <strong>Hard blocklist</strong> — permanently banned IPs. Hash map, no expiry.</li> <li> <strong>Tor exit nodes</strong> — refreshed every 15 minutes via Onionoo. ~1,500 active exit IPs at any given time.</li> <li> <strong>Threat score map</strong> — IPs we've observed before, with accumulated scores that decay over time. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">IPReputation</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">blocklist</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">struct</span><span class="p">{}</span> <span class="n">torExits</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">struct</span><span class="p">{}</span> <span class="n">cidrs</span> <span class="p">[]</span><span class="o">*</span><span class="n">net</span><span class="o">.</span><span class="n">IPNet</span> <span class="c">// datacenter/hosting ranges</span> <span class="n">scores</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">scoredIP</span> <span class="p">}</span> <span class="k">type</span> <span class="n">scoredIP</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">score</span> <span class="kt">int</span> <span class="n">lastSeen</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">ipr</span> <span class="o">*</span><span class="n">IPReputation</span><span class="p">)</span> <span class="n">Score</span><span class="p">(</span><span class="n">ip</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">int</span> <span class="p">{</span> <span class="n">ipr</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RLock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">ipr</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RUnlock</span><span class="p">()</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">ipr</span><span class="o">.</span><span class="n">blocklist</span><span class="p">[</span><span class="n">ip</span><span class="p">];</span> <span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="m">100</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">ipr</span><span class="o">.</span><span class="n">torExits</span><span class="p">[</span><span class="n">ip</span><span class="p">];</span> <span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="m">70</span> <span class="p">}</span> <span class="n">parsed</span> <span class="o">:=</span> <span class="n">net</span><span class="o">.</span><span class="n">ParseIP</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">cidr</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">ipr</span><span class="o">.</span><span class="n">cidrs</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cidr</span><span class="o">.</span><span class="n">Contains</span><span class="p">(</span><span class="n">parsed</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="m">55</span> <span class="c">// datacenter origin — not necessarily malicious, but not a browser</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="n">entry</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">ipr</span><span class="o">.</span><span class="n">scores</span><span class="p">[</span><span class="n">ip</span><span class="p">];</span> <span class="n">ok</span> <span class="p">{</span> <span class="n">days</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Since</span><span class="p">(</span><span class="n">entry</span><span class="o">.</span><span class="n">lastSeen</span><span class="p">)</span><span class="o">.</span><span class="n">Hours</span><span class="p">()</span> <span class="o">/</span> <span class="m">24</span> <span class="c">// Score halves every 24h</span> <span class="k">return</span> <span class="kt">int</span><span class="p">(</span><span class="kt">float64</span><span class="p">(</span><span class="n">entry</span><span class="o">.</span><span class="n">score</span><span class="p">)</span> <span class="o">*</span> <span class="n">math</span><span class="o">.</span><span class="n">Pow</span><span class="p">(</span><span class="m">0.5</span><span class="p">,</span> <span class="n">days</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="m">0</span> <span class="p">}</span> </code></pre> </div> <p>Score decays at a 24-hour half-life. IPs rotate. Cloud provider ranges get reassigned. Treating a month-old signal the same as a current one tanks precision — false positives climb until the system is more noise than signal.</p> <p>We should have used MaxMind GeoLite from day one instead of maintaining a CIDR list manually. We added hosting ranges reactively — after seeing attacks rather than before — and missed several in the first few months. Proper ASN lookups would have caught those automatically. That gap cost us a few weeks of noisier detection early on.</p> <p>The scores map has an unbounded growth problem. A background goroutine evicts entries with decayed scores below 5, running every hour. In production the map stabilized around 40-50k entries.</p> <p><strong>185.220.101.45 matches the Tor exit list. Score: 70. Continue.</strong></p> <h2> Stage 2: Rate Limiter [0.2ms → 0.5ms] </h2> <p>Sliding window, not fixed. Fixed windows have a boundary exploit: 59 requests at :59, 59 more at :00 — 118 requests through a 60-request limit. The sliding window always covers the last N seconds. There's no boundary to game.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">SlidingWindow</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">Mutex</span> <span class="n">entries</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="o">*</span><span class="n">ipWindow</span> <span class="n">limit</span> <span class="kt">int</span> <span class="n">window</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">}</span> <span class="k">type</span> <span class="n">ipWindow</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">timestamps</span> <span class="p">[]</span><span class="kt">int64</span> <span class="c">// nanoseconds — 8 bytes vs 24 for time.Time</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">sw</span> <span class="o">*</span><span class="n">SlidingWindow</span><span class="p">)</span> <span class="n">Allow</span><span class="p">(</span><span class="n">ip</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="n">sw</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">sw</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="n">now</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UnixNano</span><span class="p">()</span> <span class="n">cutoff</span> <span class="o">:=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">sw</span><span class="o">.</span><span class="n">window</span><span class="o">.</span><span class="n">Nanoseconds</span><span class="p">()</span> <span class="n">w</span> <span class="o">:=</span> <span class="n">sw</span><span class="o">.</span><span class="n">entries</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="k">if</span> <span class="n">w</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">w</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">ipWindow</span><span class="p">{}</span> <span class="n">sw</span><span class="o">.</span><span class="n">entries</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="o">=</span> <span class="n">w</span> <span class="p">}</span> <span class="c">// Prune in-place — avoids allocating a new slice on every call</span> <span class="n">n</span> <span class="o">:=</span> <span class="m">0</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">t</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span> <span class="p">{</span> <span class="k">if</span> <span class="n">t</span> <span class="o">&gt;</span> <span class="n">cutoff</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span><span class="p">[</span><span class="n">n</span><span class="p">]</span> <span class="o">=</span> <span class="n">t</span> <span class="n">n</span><span class="o">++</span> <span class="p">}</span> <span class="p">}</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span> <span class="o">=</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span><span class="p">[</span><span class="o">:</span><span class="n">n</span><span class="p">]</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">w</span><span class="o">.</span><span class="n">timestamps</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">sw</span><span class="o">.</span><span class="n">limit</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">w</span><span class="o">.</span><span class="n">timestamps</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="k">return</span> <span class="no">true</span> <span class="p">}</span> </code></pre> </div> <p>Threshold: 60 requests per 10-second window. This attacker sent 847.</p> <p>Rate limit alone doesn't block. +25 to score, continue. A misconfigured load balancer looks identical to a rate violation — same IP, high request count. The system needs the full picture before making a hard call. Rate limit plus anything else usually crosses the block threshold.</p> <p><strong>Score: 70 + 25 = 95. Continue.</strong></p> <h2> Stage 3: Header Inspection [0.5ms → 0.8ms] </h2> <p>Real browsers are consistent. They send <code>Accept</code>, <code>Accept-Language</code>, <code>Accept-Encoding</code>. Their User-Agent follows recognizable patterns. Automation libraries don't replicate this — not because attackers are careless, but because <code>python-requests</code>, <code>httpx</code>, <code>go-http-client</code> don't send browser headers by default, and most attackers don't bother faking them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">var</span> <span class="n">automationSignatures</span> <span class="o">=</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"python-requests"</span><span class="p">,</span> <span class="s">"python-urllib"</span><span class="p">,</span> <span class="s">"go-http-client"</span><span class="p">,</span> <span class="s">"libwww-perl"</span><span class="p">,</span> <span class="s">"java/"</span><span class="p">,</span> <span class="s">"curl/"</span><span class="p">,</span> <span class="s">"wget/"</span><span class="p">,</span> <span class="s">"sqlmap"</span><span class="p">,</span> <span class="s">"nikto"</span><span class="p">,</span> <span class="s">"masscan"</span><span class="p">,</span> <span class="s">"zgrab"</span><span class="p">,</span> <span class="s">"scrapy"</span><span class="p">,</span> <span class="s">"aiohttp"</span><span class="p">,</span> <span class="s">"httpx"</span><span class="p">,</span> <span class="s">"mechanize"</span><span class="p">,</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">inspectHeaders</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">(</span><span class="n">score</span> <span class="kt">int</span><span class="p">,</span> <span class="n">hardBlock</span> <span class="kt">string</span><span class="p">)</span> <span class="p">{</span> <span class="n">ua</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"User-Agent"</span><span class="p">)</span> <span class="k">if</span> <span class="n">ua</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="m">40</span><span class="p">,</span> <span class="s">""</span> <span class="p">}</span> <span class="n">uaLow</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">ToLower</span><span class="p">(</span><span class="n">ua</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">sig</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">automationSignatures</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">Contains</span><span class="p">(</span><span class="n">uaLow</span><span class="p">,</span> <span class="n">sig</span><span class="p">)</span> <span class="p">{</span> <span class="n">score</span> <span class="o">+=</span> <span class="m">30</span> <span class="k">break</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">)</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">score</span> <span class="o">+=</span> <span class="m">15</span> <span class="p">}</span> <span class="c">// POST from a browser almost always carries a Referer</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">==</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span> <span class="o">&amp;&amp;</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"Referer"</span><span class="p">)</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">score</span> <span class="o">+=</span> <span class="m">10</span> <span class="p">}</span> <span class="c">// Header injection is a hard block regardless of score</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">values</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">v</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">values</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">ContainsAny</span><span class="p">(</span><span class="n">v</span><span class="p">,</span> <span class="s">"</span><span class="se">\r\n</span><span class="s">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="m">0</span><span class="p">,</span> <span class="s">"header injection"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">score</span><span class="p">,</span> <span class="s">""</span> <span class="p">}</span> </code></pre> </div> <p>Header injection is the only hard block at this stage. <code>\r\n</code> in a header value is never legitimate — it can split HTTP responses and poison downstream caches. Everything else is scored and accumulated.</p> <p>We evaluated TLS fingerprinting (JA3) — comparing cipher suite and extension order from the TLS handshake, which browsers expose consistently and scripts don't. Decided against it. It requires TLS termination at the WAF layer or integration with nginx's <code>ssl_fingerprint</code> module, and it's brittle across library versions. The coupling cost wasn't worth it at our traffic volume. Worth revisiting at scale.</p> <p><strong>python-requests/2.28.0: +30. No Accept: +15. No Referer on POST: +10. Score: 95 + 55 = 100 (capped). Continue.</strong></p> <h2> Stage 4: Rule Engine [0.8ms → 1.5ms] </h2> <p>Most expensive stage. Runs last.</p> <p><strong>Pre-compile at startup.</strong> <code>regexp.MustCompile</code> is not free. Calling it per request at 100K req/day is burning CPU for no reason. All patterns compile once on server start, stored as <code>*regexp.Regexp</code> struct fields, reused across every request.</p> <p><strong>Normalize before matching.</strong> Attackers don't send raw <code>OR '1'='1'</code>. They URL-encode it, double-encode it, or split it across fields. A rule engine that only looks at the raw payload misses most real attacks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">normalize</span><span class="p">(</span><span class="n">input</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">[]</span><span class="kt">byte</span> <span class="p">{</span> <span class="c">// First pass</span> <span class="n">s</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">url</span><span class="o">.</span><span class="n">QueryUnescape</span><span class="p">(</span><span class="kt">string</span><span class="p">(</span><span class="n">input</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">s</span> <span class="o">=</span> <span class="kt">string</span><span class="p">(</span><span class="n">input</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Second pass — catches double-encoding</span> <span class="n">s2</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">url</span><span class="o">.</span><span class="n">QueryUnescape</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">s2</span> <span class="o">=</span> <span class="n">s</span> <span class="p">}</span> <span class="k">return</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">strings</span><span class="o">.</span><span class="n">ToLower</span><span class="p">(</span><span class="n">s2</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>Then the rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Rule</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="n">Pattern</span> <span class="o">*</span><span class="n">regexp</span><span class="o">.</span><span class="n">Regexp</span> <span class="n">Severity</span> <span class="kt">int</span> <span class="c">// 1–4; severity 4 = block unconditionally regardless of score</span> <span class="n">Target</span> <span class="n">Target</span> <span class="c">// Body, URL, or both</span> <span class="p">}</span> <span class="c">// Compiled at init() — never at request time</span> <span class="k">var</span> <span class="n">coreRules</span> <span class="o">=</span> <span class="p">[]</span><span class="o">*</span><span class="n">Rule</span><span class="p">{</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"SQLI-001"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`\bor\b\s+['"]?\w+['"]?\s*=\s*['"]?\w+['"]?`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">4</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"SQLI-002"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`(--|#|/\*)`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">3</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"SQLI-003"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`\bunion\b.{0,30}\bselect\b`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">4</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span> <span class="o">|</span> <span class="n">TargetURL</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"XSS-001"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`&lt;script[\s/&gt;]|javascript\s*:`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">4</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span> <span class="o">|</span> <span class="n">TargetURL</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"PATH-001"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`(\.\.[\\/]){2,}`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">3</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetURL</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"CMD-001"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`[;|&amp;]\s*(cat|ls|whoami|id|wget|curl)\b`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">4</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span> <span class="o">|</span> <span class="n">TargetURL</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">e</span> <span class="o">*</span><span class="n">RuleEngine</span><span class="p">)</span> <span class="n">Evaluate</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">,</span> <span class="n">body</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">[]</span><span class="o">*</span><span class="n">Match</span> <span class="p">{</span> <span class="n">normBody</span> <span class="o">:=</span> <span class="n">normalize</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="n">normURL</span> <span class="o">:=</span> <span class="n">normalize</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">RawQuery</span> <span class="o">+</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">))</span> <span class="k">var</span> <span class="n">matches</span> <span class="p">[]</span><span class="o">*</span><span class="n">Match</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">rule</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">e</span><span class="o">.</span><span class="n">rules</span> <span class="p">{</span> <span class="k">var</span> <span class="n">target</span> <span class="p">[]</span><span class="kt">byte</span> <span class="k">if</span> <span class="n">rule</span><span class="o">.</span><span class="n">Target</span><span class="o">&amp;</span><span class="n">TargetBody</span> <span class="o">!=</span> <span class="m">0</span> <span class="p">{</span> <span class="n">target</span> <span class="o">=</span> <span class="n">normBody</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">target</span> <span class="o">=</span> <span class="n">normURL</span> <span class="p">}</span> <span class="k">if</span> <span class="n">loc</span> <span class="o">:=</span> <span class="n">rule</span><span class="o">.</span><span class="n">Pattern</span><span class="o">.</span><span class="n">Find</span><span class="p">(</span><span class="n">target</span><span class="p">);</span> <span class="n">loc</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">matches</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">matches</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">Match</span><span class="p">{</span><span class="n">Rule</span><span class="o">:</span> <span class="n">rule</span><span class="p">,</span> <span class="n">At</span><span class="o">:</span> <span class="n">loc</span><span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">matches</span> <span class="p">}</span> </code></pre> </div> <p>After normalization, the body reads as: <code>{"username":"admin' or '1'='1' --","password":"anything"}</code>.</p> <p>SQLI-001 fires on <code>or '1'='1'</code>. SQLI-002 fires on <code>--</code>. Two matches. SQLI-001 is severity 4. Score is irrelevant — block unconditionally.</p> <h2> Stage 5: Decision [1.5ms → 1.8ms] </h2> <p>Thin layer. Accumulated context in, decision out. Complexity here is where subtle edge cases live and where probing exploits get found.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">decide</span><span class="p">(</span><span class="n">ctx</span> <span class="o">*</span><span class="n">RequestContext</span><span class="p">)</span> <span class="n">Decision</span> <span class="p">{</span> <span class="c">// Severity-4 match: score doesn't matter</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">m</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span> <span class="p">{</span> <span class="k">if</span> <span class="n">m</span><span class="o">.</span><span class="n">Rule</span><span class="o">.</span><span class="n">Severity</span> <span class="o">==</span> <span class="m">4</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Block</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Code</span><span class="o">:</span> <span class="m">403</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="n">m</span><span class="o">.</span><span class="n">Rule</span><span class="o">.</span><span class="n">ID</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// High score + any rule match: block</span> <span class="k">if</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">&gt;=</span> <span class="m">80</span> <span class="o">&amp;&amp;</span> <span class="nb">len</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Block</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Code</span><span class="o">:</span> <span class="m">403</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="s">"score+rules"</span><span class="p">}</span> <span class="p">}</span> <span class="c">// Rate limited, no rule match: 429, not 403</span> <span class="k">if</span> <span class="n">ctx</span><span class="o">.</span><span class="n">RateLimited</span> <span class="o">&amp;&amp;</span> <span class="nb">len</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Block</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Code</span><span class="o">:</span> <span class="m">429</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="s">"rate-limit"</span><span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Block</span><span class="o">:</span> <span class="no">false</span><span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The 403 vs 429 distinction is operational. Repeated 429s from the same IP often turn out to be misconfigured clients or internal tooling; 403s with rule matches are almost always actual attacks. The alerting pipeline treats them differently, which matters at 2am when you're deciding whether to page someone.</p> <p><strong>Verdict: Block, 403, SQLI-001.</strong></p> <h2> Stage 6: Logging [1.8ms → 2ms] </h2> <p>Response goes out before logging. Logging is I/O. I/O is slow. Those two facts mean the log write cannot touch the response path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">WAF</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">logCh</span> <span class="k">chan</span> <span class="n">IncidentLog</span> <span class="c">// buffered</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NewWAF</span><span class="p">(</span><span class="n">cfg</span> <span class="n">Config</span><span class="p">)</span> <span class="o">*</span><span class="n">WAF</span> <span class="p">{</span> <span class="n">w</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">WAF</span><span class="p">{</span> <span class="n">logCh</span><span class="o">:</span> <span class="nb">make</span><span class="p">(</span><span class="k">chan</span> <span class="n">IncidentLog</span><span class="p">,</span> <span class="m">4096</span><span class="p">),</span> <span class="p">}</span> <span class="k">go</span> <span class="n">w</span><span class="o">.</span><span class="n">logWorker</span><span class="p">()</span> <span class="k">return</span> <span class="n">w</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">logWorker</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="n">entry</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">waf</span><span class="o">.</span><span class="n">logCh</span> <span class="p">{</span> <span class="n">waf</span><span class="o">.</span><span class="n">sink</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> <span class="c">// JSON to disk + forward to alert pipeline</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">block</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">,</span> <span class="n">ctx</span> <span class="o">*</span><span class="n">RequestContext</span><span class="p">,</span> <span class="n">d</span> <span class="n">Decision</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Response first</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="s">`{"error":"Forbidden"}`</span><span class="p">))</span> <span class="c">// Log asynchronously — non-blocking send</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="n">waf</span><span class="o">.</span><span class="n">logCh</span> <span class="o">&lt;-</span> <span class="n">IncidentLog</span><span class="p">{</span> <span class="n">Timestamp</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UTC</span><span class="p">(),</span> <span class="n">IP</span><span class="o">:</span> <span class="n">ctx</span><span class="o">.</span><span class="n">IP</span><span class="p">,</span> <span class="n">Method</span><span class="o">:</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span><span class="p">,</span> <span class="n">Path</span><span class="o">:</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">,</span> <span class="n">Score</span><span class="o">:</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span><span class="p">,</span> <span class="n">Matches</span><span class="o">:</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span><span class="p">,</span> <span class="n">RateLimited</span><span class="o">:</span> <span class="n">ctx</span><span class="o">.</span><span class="n">RateLimited</span><span class="p">,</span> <span class="n">Decision</span><span class="o">:</span> <span class="n">d</span><span class="p">,</span> <span class="n">LatencyMs</span><span class="o">:</span> <span class="kt">float64</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Since</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Start</span><span class="p">)</span><span class="o">.</span><span class="n">Microseconds</span><span class="p">())</span> <span class="o">/</span> <span class="m">1000</span><span class="p">,</span> <span class="p">}</span><span class="o">:</span> <span class="k">default</span><span class="o">:</span> <span class="c">// Channel full — drop the entry, track the drop count separately</span> <span class="n">waf</span><span class="o">.</span><span class="n">metrics</span><span class="o">.</span><span class="n">LogDropped</span><span class="o">.</span><span class="n">Inc</span><span class="p">()</span> <span class="p">}</span> <span class="k">go</span> <span class="n">waf</span><span class="o">.</span><span class="n">reputation</span><span class="o">.</span><span class="n">Increment</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">IP</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The <code>select</code> with <code>default</code> is intentional. If the log channel fills — writer goroutine falling behind, usually disk I/O saturation during a large attack — drop the log entry rather than stall HTTP responses. Track the drop counter as a separate metric and alert on it. In 8 months of production this happened once, during a coordinated multi-client attack that was also saturating the disk writer. Logging should never affect response latency, even under that load.</p> <p>The attacker gets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">403</span> <span class="ne">Forbidden</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">{"error"</span><span class="p">:</span><span class="s">"Forbidden"}</span> </code></pre> </div> <p>No indication of which rule fired. Nothing actionable. The less information a 403 carries, the harder the system is to probe.</p> <h2> Production Numbers </h2> <p>At peak (~180 req/s across all clients), the WAF added a median 0.8ms latency to allowed requests. p99: 3.2ms. Blocked requests averaged 1.9ms — they exit earlier in the pipeline. Memory at steady state: ~90MB for the reputation map, rate limiter state, and rule engine combined.</p> <p>Over 8 months: 25% reduction in breach incidents across client websites, 35% faster detection from attack onset to alert. The detection improvement came almost entirely from centralized structured logging — correlating patterns across 50+ clients simultaneously instead of treating each site's logs as a separate silo.</p> <p>Two things I'd rebuild differently. First: MaxMind GeoLite for ASN-level blocking from the start. Maintaining a CIDR list manually is reactive by nature and you're always a step behind. Second: weight rule matches by position in the payload. A pattern found deep inside a multi-part encoded body is more likely to be deliberate evasion than one sitting in a raw field — that distinction should influence severity scoring, and currently it doesn't.</p> <p>Want more deep-dive backend stories?<br> I regularly write about:</p> <p>Go internals and performance<br> backend system design<br> building open-source tools<br> real-world optimization stories<br> Check out my personal site: <a href="https://bhavyyadav25.github.io" rel="noopener noreferrer">https://bhavyyadav25.github.io</a></p> <p>You can also find me on:</p> <p>GitHub: <a href="https://github.com/Bhavyyadav25" rel="noopener noreferrer">https://github.com/Bhavyyadav25</a><br> LinkedIn: <a href="https://linkedin.com/in/yadavbhavy" rel="noopener noreferrer">https://linkedin.com/in/yadavbhavy</a></p> <p><em>Backend engineer. Go, distributed systems, security infrastructure.</em></p> go webdev backend programming