AllBengal
By Sahidur Pub Feb 20

Part 6: The Bouncer at the Door — Rate Limiting and Stopping Bad Guys

How AllBengal prevents hackers from attacking the login page, uploading too many files, and other abuse.

Dev Diaries
Part 6: The Bouncer at the Door — Rate Limiting and Stopping Bad Guys

The Problem: The Password Guessing Attack

Imagine the front door to a nightclub. Without a bouncer, someone could try to guess every person's password by trying millions of combinations per second:

Try: password1 ... WRONG
Try: password2 ... WRONG
Try: password123 ... WRONG
... repeat 1 million times per second
Eventually: password that_works! ... HIT!
Account hacked!

This is called a "brute force" attack. It's like trying every key on a giant keychain until one works.

A good bouncer says: "You tried to get in 5 times in the last minute. Stop trying or I'm kicking you out."

That's rate limiting.

What Is Rate Limiting?

Rate limiting is a rule that says: "You can do this action X times per Y minutes, or I'll block you."

Examples:

  • "You can try to log in 5 times per minute"
  • "You can upload 10 images per hour"
  • "You can create 3 posts per day"

How AllBengal Uses It

AllBengal has different limits for different actions:

Login Protection

Rule: "You can attempt login 5 times per minute"

Person tries wrong password:
Attempt 1: "Wrong password"
Attempt 2: "Wrong password"
Attempt 3: "Wrong password"
Attempt 4: "Wrong password"
Attempt 5: "Wrong password"
Attempt 6: BLOCKED! "Wait 1 minute before trying again"

API General Limits

Rule: "You can make 60 requests per minute"

Reader is browsing:
Request 1: "Get post list" ✓
Request 2: "Get post #5" ✓
Request 3: "Like post #5" ✓
... 57 more requests ...
Request 60: "Get comment" ✓
Request 61: BLOCKED! "You've done too much, wait a minute"

Why Different Limits?

Different actions deserve different limits:

Action Type Limit Reason
Reading (get data) - HIGH LIMIT 60 requests/minute You might want to load a post, comments, related posts quickly
Writing (create posts) - MEDIUM LIMIT 10 requests/minute Normal users don't do this, but bots might spam
Login - STRICT LIMIT 5 attempts/minute Nobody should fail login 50 times per minute

How It Actually Works

Behind the scenes, rate limiting tracks you by your IP address (your internet's address):

User from IP 203.0.113.45 makes requests:
Time 10:45:00 - Request 1 ✓ (1 request in the bucket)
Time 10:45:01 - Request 2 ✓ (2 requests in the bucket)
Time 10:45:02 - Request 3 ✓ (3 requests in the bucket)
...
Time 10:45:59 - Request 60 ✓ (60 requests in the bucket)
Time 10:46:00 - Bucket is emptied and refilled
Time 10:46:00 - Request 61 ✓ (1 request in new bucket)

It's like a bucket that holds "request tokens." Each request uses one token. When the minute is up, the bucket refills.

What Happens When You Hit the Limit?

You get an error message:

HTTP 429: Too Many Requests

{
  "error": "Rate limit exceeded",
  "retry_after_seconds": 45,
  "message": "Please wait 45 seconds before trying again"
}

The "retry_after" tells you when you can try again. Your browser automatically handles this (or will wait and retry).

Real Examples of Attacks Stopped

Attack 1: Password Guessing

Hacker IP: 192.168.1.100
Attempt 1: Try "admin@example.com" + "password1" ... WRONG
Attempt 2: Try "admin@example.com" + "Password1" ... WRONG
Attempt 3: Try "admin@example.com" + "Password!" ... WRONG
Attempt 4: Try "admin@example.com" + "123456" ... WRONG
Attempt 5: Try "admin@example.com" + "password123" ... WRONG
Attempt 6: BLOCKED for 1 minute

Result: Attack fails. Hacker can't guess the password.

Attack 2: Spam Comments

Bot IP: 203.0.113.50
Try to post comment #1 ✓
Try to post comment #2 ✓
Try to post comment #3 ✓
Try to post comment #4 ✓
Try to post comment #5 ✓
Try to post comment #6 ... ERROR 429
Try to post comment #7 ... ERROR 429

Result: Bot can only spam 5 comments/minute instead of 1000.

For Legitimate Users

Rate limits are designed to be barely noticeable for real usage:

  • Reading a blog: You're not hitting limits. You read 5-10 posts, take time between clicks.
  • Writing a post: You write 1 post every hour. Limit is 10/minute. No problem.
  • Uploading images: You add 1-2 images to a post. Limit is 10/minute. No problem.

The limits only affect:

  • Robots/bots trying to scrape everything
  • Hackers trying thousands of passwords
  • Spammers posting hundreds of times per minute

How It's Stored

AllBengal can use either:

Option 1: Memory-Based (Fast)

Keep a list in RAM: 
IP 203.0.113.45: 35 requests so far this minute
IP 192.168.1.1: 2 requests so far this minute
IP 198.51.100.1: 60 requests (LIMIT!)

Fast but gets lost if server restarts.

Option 2: Redis (Better)

Redis is a super-fast database that remembers:
IP 203.0.113.45: 35 requests so far this minute
IP 192.168.1.1: 2 requests so far this minute
IP 198.51.100.1: 60 requests (LIMIT!)

Even if server restarts, attacks are still blocked.

Other Security Headers

Beyond rate limiting, AllBengal also sends security headers with every response:

X-Frame-Options: DENY
  "Don't let anyone put this website in a frame"

X-Content-Type-Options: nosniff
  "Don't guess what kind of file this is, trust what I tell you"

Strict-Transport-Security: max-age=31536000
  "Always use HTTPS for the next year"

These are like guards saying "Hey, browser, watch out for these tricks."

The Bottom Line

Rate limiting is like a bouncer at a club:

  • ✅ Stops password guessing
  • ✅ Blocks spam bots
  • ✅ Prevents abuse
  • ✅ Doesn't bother real users
  • ✅ Transparent (users see a friendly message)

Ever hit a rate limit? Drop a comment about what happened!

Tags

#security#rate-limiting#how-it-works#dos-attack

Analytics

Unique visitors

0

Visits

0

Reactions

0

💬 Comments (0)

No comments yet.

💌 Share Your Opinion With Us

Email Facebook Telegram

📖 Read More Articles

Explore more articles and discover interesting stories from our blog.

View All Articles →