Home > Website Pentesting

Rate Limiting

Rate limiting is a defensive mechanism that restricts how many requests a user, IP address, device, or session can make within a defined period. It protects authentication systems, APIs, search endpoints, password reset flows, and data-sensitive operations from brute force, credential stuffing, scraping, denial-of-service attempts, and enumeration attacks.
A secure rate-limiting strategy identifies abusive patterns early and slows, blocks, or challenges the attacker without affecting legitimate users.

Why Rate Limiting Matters

Attackers exploit unlimited or weakly regulated endpoints to:

  • brute force passwords

  • guess usernames or OTPs

  • mass test coupon codes

  • enumerate IDs or resources

  • overload internal logic

  • spam APIs or search systems

  • perform scraping or credential stuffing

  • rapidly test vulnerabilities

Rate limiting controls volume and prevents automated abuse.

Components of a Strong Rate Limiting System

1. Identity Keys

Rate limits are applied to identifiers such as:

  • IP address

  • username/email

  • session ID

  • device ID or fingerprint

  • API key

  • user account ID

  • token or cookie

Rate limiting must use multiple identifiers, not only IPs, because attackers rotate IPs easily.

2. Window Types

Different techniques define how requests are counted.

  • fixed window

  • sliding window

  • token bucket

  • leaky bucket

  • exponential backoff window

Each suits different contexts.

3. Thresholds

Define how many requests are allowed:

Example:

10 attempts per minute for login
100 requests per minute for API
1 OTP request per minute

Thresholds vary based on sensitivity.

4. Actions on Limit Exceed

When a limit is exceeded, the backend may:

  • slow down responses

  • require CAPTCHA

  • return 429 Too Many Requests

  • temporarily lock the user

  • block IP for extended time

  • invalidate token

  • notify user or admin for suspicious activity

Actions depend on endpoint sensitivity.

Types of Rate Limiting Strategies

Fixed Window Rate Limiting

Counts requests in fixed intervals.

Example:

  • 5 login attempts per 10 minutes

  • renews every 10 minutes

Downside: burst allowed at window edges.

Sliding Window Rate Limiting

Measures requests over a shifting timeframe.
More accurate than fixed windows.

Token Bucket

Users gain “tokens” at a fixed rate.
Each request consumes one token.

Ideal for APIs where bursts are acceptable.

Leaky Bucket

Requests pass at a fixed, constant rate.

Ideal for smoothing traffic spikes.

Dynamic/Adaptive Rate Limiting

Automatically adjusts thresholds based on user behavior:

  • suspicious traffic → lower limit

  • trusted devices → higher limits

Used for financial and authentication endpoints.

Applying Rate Limiting to Critical Endpoints

Login Endpoint

Requirements:

  • per-IP limit

  • per-username limit

  • per-account lockout

  • exponential backoff

  • CAPTCHA after multiple failures

Example limit:

5 failures per 15 minutes per username
10 failures per 15 minutes per IP

Password Reset Flow

Reset endpoints are common for enumeration and spam.

Limit:

1 reset attempt per 5 minutes per user
3 reset attempts per hour per IP

OTP/MFA Verification

OTP codes must be protected strictly.

Limits:

5 OTP attempts per 10 minutes

Add lockout if exceeded.

Signup/Registration

Prevent bot signups:

  • IP-based limit

  • CAPTCHA

  • device fingerprinting

  • email domain restrictions

Search Inputs and Filters

Search endpoints often reveal database information.

Limit:

X requests per second per IP/session

API Keys

API rate limits should apply per API key + per IP.

1000 requests / hour / API key
100 requests / minute / IP

Sensitive Actions

Actions like:

  • changing password

  • updating email

  • modifying payment method

  • generating tokens

should have strict rate limits.

Rate Limiting for Defense Against Bruteforce Attacks

Bruteforce and credential stuffing rely on volume.
Rate limiting blocks:

  • password bruteforce

  • OTP bruteforce

  • token bruteforce

  • coupon bruteforce

  • login CSRF spraying

  • API token guessing

Good rate limiting makes bruteforce impractical.

Rate Limiting for IDOR and Enumeration Prevention

Attackers try:

/user/1  
/user/2  
/user/3  
...

Rate limiting reduces enumeration speed drastically.

Mitigation:

  • block high-rate sequential access

  • detect incremental ID patterns

  • combine behavior analysis with strict thresholds

Advanced Rate Limit Controls

Device Fingerprint Enforcement

Combine IP + device fingerprint to track abusive devices.

Behavioral Analytics

Detect anomalies:

  • sudden spike in attempts

  • high error-to-success ratio

  • login attempts from new geolocation

Action-Based Throttling

Rate limit per action, not just per endpoint.

Example:

5 login attempts across both API and web combined

User Reputation Score

Repeated abusive behavior yields stricter limits.

Multi-Stage Challenges

After hitting limit:

  • introduce CAPTCHA

  • require 2FA challenge

  • increase cooldown

  • require email confirmation

Logging & Monitoring for Rate Limiting

Logs must track:

  • timestamps

  • user identifiers

  • IP addresses

  • action types

  • failure counts

  • triggered blocks

Monitoring reveals large-scale attacks in real time.

Secure Error Handling

Do not reveal whether the limit is per-user or per-IP.
Avoid messages that leak information.

Use generic messages:

Too many attempts. Try again later.

Uniform responses prevent enumeration.

Best Practices for Rate Limiting Implementation

  • rate limit all authentication endpoints

  • use multiple identifier keys

  • apply exponential backoff

  • apply MFA after repeated failures

  • block known bad IP ranges

  • use CAPTCHAs only as secondary controls

  • log rate limit events

  • never rely solely on IP-based limits

  • ensure distributed rate limiting across servers

  • synchronize counters between cluster nodes

  • clear counters safely

  • scale limits based on role (admin vs user)

  • lower limits for sensitive actions

Intel Dump

  • Rate limiting protects authentication, APIs, search, signup, OTP, and sensitive endpoints from automated abuse.

  • Use per-IP, per-username, per-device, and per-session identifiers to enforce limits.

  • Implement fixed windows, sliding windows, token buckets, or leaky buckets depending on endpoint needs.

  • Protect logins, password resets, and OTP flows with strict throttling and temporary lockouts.

  • Apply CAPTCHA, MFA challenges, and behavioral analytics for suspicious patterns.

  • Use secure, generic error messages and comprehensive logging.

  • Rate limiting is essential for resisting bruteforce, credential stuffing, enumeration, and spam attacks.

HOME LEARN COMMUNITY DASHBOARD