#ddos

Your API Rate-Limit Is Useless Against Distributed Attacks

TL;DR API rate-limiting ("you can make 100 requests per minute") was designed to prevent single-source abuse. It fails catastrophically against distributed attacks. Botnets with 50,000 nodes, each making 1 request/minute, bypass your 100-req/min limi...