Rate limiting is enabled and appears to work, yet abusive traffic still gets through.
Attackers don’t seem to be hitting the configured limits directly.
I’m wondering whether this is a configuration issue or a limitation of rate limiting itself.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Rate limiting is enabled and appears to work, yet abusive traffic still gets through.
Attackers don’t seem to be hitting the configured limits directly.
I’m wondering whether this is a configuration issue or a limitation of rate limiting itself.
Rate limiting controls how frequently a single source can make requests, but it doesn’t account for distributed or adaptive behavior. Attackers often spread traffic across multiple IPs, tokens, or accounts to stay below thresholds while still causing harm.
This makes rate limiting effective against simple abuse but insufficient on its own against determined attackers. Additional signals such as behavior patterns, authentication context, and anomaly detection are needed to distinguish normal use from abuse.
Relying on rate limiting alone often creates a false sense of protection.
Takeaway: Rate limits reduce noise, but they don’t stop intent-driven abuse.