ApiaryActive
Try: pause · settings · learn · wipe
← Community / Reading Room
RL
security · 2 min read

rate limit bypass prevention

=====================================

=====================================

As an APIary platform, preventing rate limit bypass is crucial to ensure the security and integrity of our system. This page outlines the strategies we employ to mitigate common evasion techniques used by attackers.

IP Rotation

IP rotation involves rapidly switching between multiple IP addresses to evade rate limiting. To prevent this, we use a combination of IP blocking and geolocation-based rate limiting.

import ipaddress
from apiary.utils import get_client_ip

def block_ip(ip):
    # Block the IP address for 24 hours
    redis_conn.set(f"block:{ip}", "1", ex=86400)
    
def check_rate_limit(ip):
    # Check if the IP is blocked or has exceeded the rate limit
    if ipaddress.ip_address(ip) in [banned_ip for banned_ip in redis_conn.smembers("blocked_ips")]:
        return False
    elif get_client_ip() in [ip for ip, count in redis_conn.zrange("rate_limit", 0, -1, withscores=True)]:
        return False

User-Agent Spoofing

User-agent spoofing involves manipulating the User-Agent header to evade rate limiting. We use a combination of machine learning-based techniques and regular expressions to detect and block suspicious User-Agents.

import re
from sklearn import svm
from apiary.utils import get_user_agent

def train_model(user_agents):
    # Train an SVM model on labeled user-agents
    clf = svm.SVC()
    clf.fit([[re.findall(r"\d+", ua) for ua in user_agents]])
    
def detect_spoofing(user_agent):
    # Check if the User-Agent matches a known pattern or is too similar to another
    return bool(clf.predict([[re.findall(r"\d+", user_agent)]])[0])

Distributed Attacks

Distributed attacks involve using multiple machines or bots to evade rate limiting. We use a combination of IP blocking, geolocation-based rate limiting, and machine learning-based techniques to detect and block suspicious traffic.

import requests
from apiary.utils import get_client_ip

def check_distributed_attack(ip):
    # Check if the IP is part of a known botnet or has made multiple requests from different locations
    return bool(requests.get(f"https://api.botcheck.me/v1/check/{ip}").json()["is_bot"]) or \
           len([loc for loc in redis_conn.smembers("locations")]) > 5

Layered Defenses

Our rate limit bypass prevention strategy employs a layered defense approach, combining multiple techniques to prevent evasion.

def prevent_bypass(ip, user_agent):
    # Check if the IP is blocked or has exceeded the rate limit
    if block_ip(ip) or check_rate_limit(ip):
        return False
    
    # Check for User-Agent spoofing and detect distributed attacks
    if detect_spoofing(user_agent) or check_distributed_attack(ip):
        return False
        
    # If all checks pass, allow the request through
    return True

Related/Sources

Frequently asked
What is rate limit bypass prevention about?
=====================================
What should you know about iP Rotation?
IP rotation involves rapidly switching between multiple IP addresses to evade rate limiting. To prevent this, we use a combination of IP blocking and geolocation-based rate limiting.
What should you know about user-Agent Spoofing?
User-agent spoofing involves manipulating the User-Agent header to evade rate limiting. We use a combination of machine learning-based techniques and regular expressions to detect and block suspicious User-Agents.
What should you know about distributed Attacks?
Distributed attacks involve using multiple machines or bots to evade rate limiting. We use a combination of IP blocking, geolocation-based rate limiting, and machine learning-based techniques to detect and block suspicious traffic.
What should you know about layered Defenses?
Our rate limit bypass prevention strategy employs a layered defense approach, combining multiple techniques to prevent evasion.
References & sources
  1. Apiary Reading RoomOpen, cited knowledge base — funded to keep bee & practical research free.
From the Apiary Reading Room. Opinion & editorial — not financial advice. We don't overclaim.
More from the Reading Room