As a result of the DDoS attacks we have had to put in place rate limits on the registry. We apologise for any service disruption caused, we have been working with the vendor to try to come to a workable solution.
As we don’t yet have space for static pages on the registry site to present a change log we are posting the details here:
Current Configuration of IATI Registry NGINX Bot Blocker
For Normal Users Rate Limits (per IP):
20 requests per second
Queuing system for additional requests – 200 requests
If the request is more than this gives 503 error
limit_req_zone $binary_remote_addr zone=flood:50m rate=20r/s;
limit_conn_zone $binary_remote_addr zone=addr:50m;
limit_req_zone $server_name zone=perserver:1m rate=10r/s
limit_conn addr 200;
limit_req zone=flood burst=200 nodelay; ‘’’
Bots are identified as known bots or those requests associated with agents below:
"~*\bMozilla/4\.0\b" 4; "~*\bOpera/9\.80\b" 4; "~*\bFirefox/4\.0\.1\b" 4; "~*\bSafari/534\.50\b" 4;
2 requests per second
If the request is more than this gives 444 error
limit_conn_zone $bot_iplimit zone=bot2_connlimit:16m;
limit_req_zone $bot_iplimit zone=bot2_reqlimitip:16m rate=2r/s;
An agreement has been made to add a changelog to the Registry in order to keep track of these changes in the future.
Please get in touch with us if you are experiencing issues or need further support or clarifications.