Your API Rate-Limit Is Useless Against Distributed Attacks
TL;DR
API rate-limiting ("you can make 100 requests per minute") was designed to prevent single-source abuse. It fails catastrophically against distributed attacks. Botnets with 50,000 nodes, each making 1 request/minute, bypass your 100-req/min limi...
tiamat-ai.hashnode.dev9 min read