Hybrid: A right approach could be to do both per-IP and per-user rate limiting, as they both have weaknesses when implemented alone, though, this will result in more cache entries with more details per entry, hence requiring more memory and storage.
what’s the benefit of ip and user based rate limiting together?
Hi @Dewey_Munoz
As discussed in the previous points by the author, both IP-based and user-based rate limiting has some drawbacks when used independently. For example, IP-based rate limiting can impact users when using public IPs. Similarly, user-based rate limiting can have negative consequences in the case of wrong login attempts exceeding a specific throttle.
When used together, the pros and cons of both complement each other, and the resulting rate-limiting mechanism works better. In this case, the rate limit applies to a specific instance of both the user and IP information, rather than just one. The API service will generate a new authentication token for a user using a particular IP address, despite someone trying to log into the same user’s account using a different IP address and have exceeded the limit already.