**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Options for rate limiting in rate-based rules and targeted Bot Control rules
<a name="waf-rate-limiting-options"></a>

This section compares rate-based mitigation options.

The targeted level of the AWS WAF Bot Control rule group and the AWS WAF rate-based rule statement both provide web request rate limiting. The following table compares the two options.


**Comparison of options for rate-based detection and mitigation**  

|  | AWS WAF rate-based rule | AWS WAF Bot Control targeted rules | 
| --- | --- | --- | 
| How rate limiting is applied | Acts on groups of requests that are coming at too high a rate. You can apply any action except for Allow.  | Enforces human-like access patterns and applies dynamic rate limiting, through the use of request tokens.  | 
| Based on historical traffic baselines?  | No  | Yes  | 
| Time required to accumulate historic traffic baselines  | N/A  | Five minutes for dynamic thresholds. N/A for token absent. | 
| Mitigation lag  | Usually 30-50 seconds. Can be up to several minutes.  | Usually less than 10 seconds. Can be up to several minutes.  | 
| Mitigation targets  | Configurable. You can group requests using a scope-down statement and by one or more aggregation keys, such as IP address, HTTP method, and query string. | IP addresses and client sessions  | 
| Traffic volume level required to trigger mitigations  | Medium - can be as low as 10 requests in the specified time window  | Low - intended to detect client patterns such as slow scrapers  | 
| Customizable thresholds  | Yes  | No  | 
| Default mitigation action | Console default is Block. No default setting in the API; the setting is required. You can set this to any rule action except Allow. | The rule group rule action settings are Challenge for token absent and CAPTCHA for high volume traffic from a single client session. You can set either of these rules to any valid rule action.  | 
| Resiliency against highly distributed attacks  | Medium - 10,000 IP address maximum for IP address limiting on its own | Medium - limited to 50,000 total between IP addresses and tokens  | 
| [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/) | Included in the standard fees for AWS WAF.  | Included in the fees for the targeted level of Bot Control intelligent threat mitigation.  | 
| For more information | [Using rate-based rule statements in AWS WAF](waf-rule-statement-type-rate-based.md) | [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) |