We use cookies to enhance your experience of our website, save your preferences and provide us with information on how you use our website. For more information please read our Privacy Policy. By using our website without changing your browser settings you consent to our use of cookies.
Nov. 14, 2023 Rate Limiting 101: Protecting Your Network from Cyber Attacks
6 minutes read
Rate Limiting 101: Protecting Your Network from Cyber Attacks

Introduction

Cybersecurity has become a paramount concern for individuals and organizations in the ever-evolving digital landscape. Rate limiting is crucial in safeguarding networks and web applications from malicious attacks. This blog will explore rate-limiting fundamentals, its significance in cybersecurity, and real-world examples of rate-limiting bypasses sourced from bug bounty reports and online blogs.

What is Rate Limiting?

Rate limiting is a security mechanism that controls and restricts the number of requests or actions a user or IP address can perform within a specific time frame. The primary goal of rate limiting is to prevent abuse, mitigate the impact of distributed denial-of-service (DDoS) attacks, and protect sensitive data from brute-force attacks. By implementing rate-limiting rules, organizations can maintain the availability and integrity of their online services.

How Does Rate Limiting Work?

Rate limiting sets predefined thresholds, determining the maximum allowed requests per unit of time for each user or IP address. The system responds with an error or temporarily blocks further requests when a user exceeds this limit. By enforcing these limits, rate limiting helps prevent excessive traffic that could overload servers and compromise the system's performance.

Types of Rate Limiting

  1. IP-Based Rate Limiting

    • Limits the number of requests from a single IP address within a specific timeframe.

    • Helps mitigate DDoS attacks and brute-force attempts.

  2. User-Based Rate Limiting

    • Sets a cap on the requests a single user can make within a given time window.

    • Guards against abuse and unauthorized access attempts.

  3. Token-Based Rate Limiting

    • Uses unique tokens or API keys to track and control API requests per token.

    • Secures APIs from misuse and potential data leaks.

Adding Rate-Limit Protection using Captcha

In addition to the traditional rate limiting techniques mentioned above, organizations can further enhance their cybersecurity by incorporating the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) challenges. CAPTCHA is widely used to distinguish between automated bots and legitimate human users.

When a user or IP address triggers the rate limiting threshold, the system will prompt the user with a CAPTCHA challenge instead of simply blocking the requests. CAPTCHAs typically involve identifying distorted characters, solving puzzles, or selecting specific images. Users must prove their human identity by completing the CAPTCHA, and their requests can proceed.

Combining rate limiting and CAPTCHA challenges, this dual approach reinforces the protection against sophisticated adversaries who may attempt to bypass the rate limits using various methods.

Real World Examples of Rate Limiting Bypasses

Let's take a look at some real-world examples of rate limiting bypasses that hackers have employed in the past:

  1. Hackerone Rate Limit Bypass: A bug bounty hunter discovered a rate limiting bypass vulnerability on Hackerone. The platform had implemented rate limiting to prevent excessive API requests on all endpoints. However, the bounty hunter found that by adding special characters such as null byte (%00) as a suffix to the “email” parameter in API requests, they could bypass the rate limiting protection. HackerOne promptly addressed the issue by adding prevention measures; however, the reporter bypassed it repeatedly by using CRLF (%0d%0a) and other non-printing characters like %09.

  2. Rate Limit Bypass via Header Manipulation: A security researcher found a rate-limiting bypass vulnerability in the web application hosted at trycourier.com. The platform had rate-limited every endpoint. However, the researcher identified that an attacker could bypass the rate-limit system by exploiting a header manipulation technique using the "X-Forwarded-For" header with specific IP values. This manipulation allowed the attacker to quickly reset the request limits and continue sending requests even after rate limits were triggered. The vulnerability demonstrated on the website, trycourier.com enabled an attacker to abuse this flaw in the email section to bombard victims with a large volume of notifications, potentially causing user inconvenience and negatively affecting the website's services. The report underscores the potential impact, including brute forcing login credentials, causing disturbance through excessive email bombardment, and potentially bypassing OTP codes for account takeover.

Methods of Bypass Rate Limits

Apart from the examples mentioned above, there are other methods that attackers can use to bypass rate limiting. Some of these techniques include:

  1. Slowing Down Requests

    One of the simplest methods to bypass rate limiting is slowing down requests. Instead of bombarding the system with many requests in a short period, attackers make requests at a slower rate to remain undetected by rate limiting mechanisms. This technique can be time-consuming for attackers but can effectively bypass basic rate limiting configurations.

  2. IP Address Rotation

    By switching between multiple IP addresses, attackers can avoid being flagged by IP-based rate limits. They can use various proxy services or botnets to rotate IP addresses continuously, making it challenging for the system to identify and block suspicious activity.

  3. User-Agent Spoofing

    Attackers can manipulate the "User-Agent" header in their requests to mimic legitimate user agents, thus bypassing rate limits that are set based on user-agent strings. This allows malicious actors to blend in with regular user traffic and avoid triggering rate limiting protections.

  4. URL Parameter Manipulation

    Sometimes, attackers modify URL parameters to create unique requests that evade rate limits. They may add random query parameters or alter existing ones to make each request appear distinct.

  5. Special Character Usage

    Some systems set special characters like %09 and %0d bypass rate limits. For example, %09 represents a horizontal tab character, and %0d represents a carriage return character. These characters can be inserted into requests to create variations that the rate limiting mechanism may not recognize as duplicates. Some other characters that bypass rate limits are %00, %0d%0a, %0C, %20, and %0.

  6. Changing IP origin using headers

    X-Originating-IP: 127.0.0.1
    X-Forwarded-For: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1
    X-Client-IP: 127.0.0.1
    X-Host: 127.0.0.1
    X-Forwared-Host: 127.0.0.1


    #or use double X-Forwared-For header
    X-Forwarded-For:
    X-Forwarded-For: 127.0.0.1

Conclusion

Rate limiting is an essential and effective cybersecurity technique that protects networks and web applications from abuse and attacks. However, the ever-changing threat landscape demands constant vigilance and updates to rate limiting mechanisms. By understanding standard rate limiting bypass techniques and adopting best practices, organizations can strengthen their cybersecurity posture and ensure a safer digital environment for their users. Regular security assessments and bug bounty programs are crucial in identifying and addressing vulnerabilities and fortifying our defenses against evolving cyber threats.

About the Author

Gopesh Sharma is a Security Engineer with Certus Cybersecurity. An expert penetration tester, Gopesh specializes in vulnerability research and assessment on web applications, API security, cloud security, scripting and Android security and has experience in finding OWASP Top 10 vulnerabilities.

Contact Us
Ready to get started? Book a free consultation today, and we’ll write you back within 24 hours. For further inquiries, please submit the form at right. By submitting completed “Book a Free Consultation” form, your personal data will be processed by Certus Cybersecurity. Please read our Privacy Notice for more information.