educative.io

Educative

Doing both per-IP and per-user rate limiting

Hybrid: A right approach could be to do both per-IP and per-user rate limiting, as they both have weaknesses when implemented alone, though, this will result in more cache entries with more details per entry, hence requiring more memory and storage.

how will the hybrid approach help? hacker can still perform a denial of service attack against a user by entering wrong credentials up to the limit. for example, if the rate limit on login api is based on ip, the hacker can cause an ip to be unusable for login.