No Rate Limiting

Overview

Description

Rate Limiting is a mechanism used to control traffic coming to the webserver.

If the user is sending too many requests within some timeframe, then there are more chances for the user to perform some malicious activity, like Brute force, Denial of Service attack. So, such a request should be blocked by the server.

According to RFC-6585, HTTP Response code 429 indicates that User send Too Many Requests. This should be implemented in your application logic.

An attacker can use a pool of IP addresses to remain undetected, So Rate-limiting should be implemented based on source IP as well as Active Session.

Impact

  • This issue can be used to perform Denial of Service (DoS) attack and Brute Force.

Prevention

  • Implement rate-limiting in your application based on source IP as well as active session.
  • Block that IP / Session if you are getting multiple requests even after sending 429 Too Many Requests response.