What is Rate Limiting?

Humans, bots, and applications may overuse or abuse a web property, intentionally or unintentionally, eroding network resources and causing it to crash, face downtime or become slow. Rate limiting is an effective strategy to prevent the overuse or abuse of digital assets and certain kinds of web attacks.

What exactly is rate limiting, how does it work, and what can it protect against? Read on to find out.

What is Rate Limiting? 

Rate limiting is a strategy leveraged to cap a traffic exchange, limiting the amount of incoming and outgoing traffic from a particular network. Typically, it limits repeat actions within specified timeframes by users, preventing systems/ networks/ applications from becoming overloaded. For instance, the number of logins to an account within a specified timeframe or the number of failed login attempts.


Rate limiting is typically used to balance the loads on servers and network infrastructure while optimizing the performance of system resources. It prevents attackers from overwhelming digital resources and ensures that all legitimate users get equal access to the service.

Rate limiting is also useful in managing the information flow between complex linked systems, allowing seamless and intelligent merge of multiple streams into the devices. In addition to performance optimization, it also helps optimize costs by setting limits on resource use.

For instance, a user may mistakenly request the user to retrieve tons of information. This will overload the network for all users and require lots of computing resources. Such kind of vulnerabilities and errors can be prevented when rate limits are in place, and massive computation costs can be avoided.

What Does it Protect Against?

When rate limiting is not implemented, the strain on the servers, networks, applications, APIs, etc., can be massive, thus leading to downtimes, performance and speed erosion, crashes, and attacks. Though it is not a complete security solution, it helps stop different types of attacks such as:

  • Certain types of bot attacks
  • Brute force attacks
  • Web/ content scraping attacks
  • API abuse
  • Certain kinds of DDoS attacks, etc.

How Does Rate Limiting Work?

Rate limiting doesn’t run within the server itself but within an application. The application uses IP addresses primarily to determine who/ what is making the request. Typically, the security or rate limiting solution will track IP addresses from where the requests originate and evaluate the time gap between consecutive requests.

Based on this information, the rate limits are fixed, and the solution is configured and tuned. When the requests from a single IP address exceed the predefined limit within the given timeframe, the solution will not fulfill requests from that IP address for a certain amount of time.

For instance, a user wants to log in to their digital banking accounts. But he has forgotten his password and is entering the wrong password. With rate limiting, the application is configured to deny login and freeze the account for a day after 3 failed login attempts. Sometimes, the user may have to escalate the issue with the bank to unfreeze their account.

Types of Rate Limiting

Based on these methods and parameters used in determining rate limits, there are 3 types:

  • User rate limiting is the most popular type wherein the limits are set based on the number of requests a user makes to the API or IP. When users exceed the predefined limits, their further requests are denied until the timeframe resets.
  • Geographic rate limiting extends security further by setting limits on the requests from particular geographic regions and time periods. For instance, if the organization does not do business in certain regions, requests from the region may be blocked completely or lowered for those regions to minimize risks of suspicious/ fraudulent activities.
  • Server rate limiting is used when developers have defined different servers to handle different aspects of the application. In this case, the rate limits are defined and tuned based on the load handled by the different servers.

APIs and Rate Limits

Every time the API is called on for a request, a certain amount of server resources is required for the code to run and respond to the request. The lack of resources and rate limiting is on the list of the OWASP API Top 10 security flaws. This flaw is leveraged by malicious actors to orchestrate DDoS, brute force, and bot attacks on APIs.

By placing API rate limits, API owners can ensure third-party users and malicious actors don’t erode server resources by abusing APIs. It also encourages legitimate third-party users to pay higher for greater use.

The Way Forward 

While rate limiting is a powerful technique to prevent certain cyberattacks, it is one-dimensional. It cannot provide complete security to web applications, APIs, and other digital assets. It must be part of an end-to-end, managed security solution as in AppTrana that combines bot mitigation, DDoS prevention, malware protection, API security, and other key capabilities for robust protection.