On November 24, 2014, a simple API endpoint at a major cloud provider received an unusual surge of traffic. What started as a legitimate marketing campaign cascaded into billions of requests per minute. Without effective rate limiting, the authentication service collapsed, taking down the entire platform for hours. Millions in revenue evaporated.

Rate limiting is the practice of controlling the frequency of events—requests, packets, operations—to protect systems from overload, ensure fair resource allocation, and implement business policies. It's the difference between a system that gracefully handles abuse and one that collapses under pressure.

Rate limiting is the application of traffic shaping principles to control the rate of operations in a system. While leaky bucket and token bucket provide the algorithms, rate limiting encompasses the broader practice of deciding what to limit, where, and how.

Why Rate Limit?

Rate limiting serves multiple purposes across different domains:

Rate Limiting Dimensions:

Modern rate limiting operates across multiple dimensions simultaneously:

Multi-dimensional Example:

User "alice" limits:
  - Global: 10,000 requests/hour
  - Per endpoint:
    - /api/search: 100 requests/minute
    - /api/export: 10 requests/hour (expensive)
  - Concurrent: max 20 simultaneous requests
  - Data: 5 GB egress/day

Beyond leaky and token bucket, several algorithms address different rate limiting needs:

1. Fixed Window Counter:

Simplest approach—count events in fixed time windows.

Every minute window:
  - Count requests in current window
  - Allow if count < limit
  - Reset count at window boundary

Problem: Boundary bursts—100 requests at 11:59:59 + 100 at 12:00:00 = 200 requests in 2 seconds.

2. Sliding Window Log:

Store timestamp of each request, count those within the sliding window.

On request at time T:
  - Remove all timestamps older than (T - window_size)
  - If count < limit:
    - Add timestamp T
    - Allow request
  - Else: reject

Advantage: Perfect accuracy—no boundary effects. Disadvantage: Memory proportional to request count.

3. Sliding Window Counter (Hybrid):

Combines fixed window counting with sliding window semantics:

Parameters:
  window_size: 60 seconds
  limit: 100 requests

On request at time T:
  current_window = floor(T / window_size)
  previous_window = current_window - 1
  
  # Weight of previous window (sliding portion)
  weight = 1 - ((T % window_size) / window_size)
  
  # Weighted count
  count = (previous_window_count × weight) + current_window_count
  
  if count < limit:
    increment current_window_count
    allow
  else:
    reject

This provides sliding window behavior with O(1) memory per key.

In distributed systems, rate limiting becomes significantly more challenging. Requests for a single user may arrive at different servers, requiring coordination.

The Coordination Problem:

Imagine a user has a limit of 100 requests/minute, and you have 5 API servers:

• Without coordination: Each server allows 100 → User can make 500 requests
• With naive splitting: Each server allows 20 → Unfair if user hits one server
• Need: Global state across all servers

Approaches to Distributed Rate Limiting:

1. Centralized Store (Redis):

Most common approach—all servers share state via Redis or similar:

Advantages:
  - Exact global state
  - Simple implementation (Redis has atomic operations)
  - Works with any request routing

Challenges:
  - Redis becomes single point of failure
  - Added latency per request (1-5ms)
  - Network partition = all requests allowed/denied?

2. Local Limits with Async Aggregation:

Each server maintains local counters, periodically syncing:

Implementation:
  1. Each server has local rate limiter
  2. Local limits set to global_limit / num_servers × N
     (N>1 provides slack for uneven distribution)
  3. Background process aggregates across servers
  4. If global limit reached, notify all servers

Advantages:
  - No synchronous latency
  - Resilient to coordinator failure

Challenges:
  - Can temporarily exceed limits
  - Uneven distribution wastes capacity

How you respond when limits are exceeded significantly impacts user experience and system behavior.

Response Actions:

429 Response Best Practices:

When rejecting with HTTP 429, provide helpful information:

HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Retry-After: 30
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1699920000
X-RateLimit-Policy: 100;w=60

{
  "error": {
    "code": "rate_limit_exceeded",
    "message": "You have exceeded the rate limit. Please retry after 30 seconds.",
    "retry_after": 30,
    "limit": 100,
    "window": 60,
    "documentation_url": "https://docs.example.com/rate-limits"
  }
}

Header Standards:

Graceful Degradation Example:

Instead of rejecting, provide reduced service:

def get_user_recommendations(user_id: str):
    # Check rate limits for expensive operations
    if not rate_limiter.allow(f"recommendations:{user_id}", 
                              window=60, limit=10):
        # Degraded: return cached/simpler recommendations
        return get_cached_recommendations(user_id)
    
    # Full service: compute personalized recommendations
    return compute_ml_recommendations(user_id)

This maintains perceived availability while protecting expensive backends.

Choosing the right identity for rate limiting is crucial—too broad and abusers affect legitimate users; too narrow and abusers create many identities.

Identity Dimensions:

Layered Identity Strategy:

Production systems typically use multiple identity layers:

def check_rate_limits(request):
    """
    Layered rate limiting by multiple identities.
    Request is allowed only if ALL limits pass.
    """
    checks = []
    
    # Layer 1: Global limit (protect service)
    checks.append(limiter.allow(
        key="global",
        limit=1_000_000,
        window=60
    ))
    
    # Layer 2: Per-IP limit (stop unauthenticated abuse)
    checks.append(limiter.allow(
        key=f"ip:{request.ip}",
        limit=1000,
        window=60
    ))
    
    # Layer 3: Per-user limit (if authenticated)
    if request.user_id:
        user_tier = get_user_tier(request.user_id)
        checks.append(limiter.allow(
            key=f"user:{request.user_id}",
            limit=TIER_LIMITS[user_tier],
            window=60
        ))
    
    # Layer 4: Per-endpoint limit (protect expensive operations)
    endpoint_limit = ENDPOINT_LIMITS.get(request.endpoint)
    if endpoint_limit:
        checks.append(limiter.allow(
            key=f"endpoint:{request.endpoint}:{request.user_id or request.ip}",
            limit=endpoint_limit,
            window=60
        ))
    
    # All must pass
    return all(check[0] for check in checks)

Handling Shared IP Addresses:

Large organizations (universities, enterprises) share a single NAT IP:

1. Higher limits for known NAT ranges: Identify and whitelist corporate ranges
2. Compound keys: IP + user-agent + other signals
3. Authenticated exemptions: Logged-in users bypass IP limits
4. CAPTCHA fallback: Present CAPTCHA instead of hard block
5. Customer support escalation: Allow manual limit increases

Fixed rate limits are simple but wasteful—they must be set for worst-case load, leaving capacity unused during normal operation. Adaptive rate limiting adjusts limits based on current system state.

AIMD (Additive Increase, Multiplicative Decrease):

Borrowed from TCP congestion control:

AIMD Rate Limiting:

State:
  current_limit: starts at initial_limit

Every adjustment_period:
  success_rate = successful_requests / total_requests
  
  if success_rate > target_success_rate:
    # System healthy, increase limits
    current_limit = min(max_limit, current_limit + additive_increase)
  else:
    # System stressed, back off
    current_limit = max(min_limit, current_limit × multiplicative_decrease)

Load Shedding at Scale:

When systems approach overload, intelligent load shedding preserves function:

class AdaptiveLoadShedder:
    """
    Sheds load based on system health metrics.
    """
    
    def __init__(self, target_latency_ms: int = 100):
        self.target_latency = target_latency_ms
        self.shed_probability = 0.0
    
    def update(self, current_latency_ms: float):
        """Update shed probability based on latency."""
        if current_latency_ms > self.target_latency * 2:
            # Way over target: aggressive shedding
            self.shed_probability = min(0.9, self.shed_probability + 0.1)
        elif current_latency_ms > self.target_latency:
            # Over target: gradual increase
            self.shed_probability = min(0.5, self.shed_probability + 0.05)
        else:
            # Under target: gradual recovery
            self.shed_probability = max(0.0, self.shed_probability - 0.01)
    
    def should_shed(self, request_priority: int = 0) -> bool:
        """
        Determine if request should be shed.
        Higher priority = less likely to shed.
        """
        adjusted_probability = self.shed_probability / (priority + 1)
        return random.random() < adjusted_probability

Priority-Based Shedding:

Not all requests are equal—shed low-priority first:

Production experience has identified patterns that work well and anti-patterns to avoid.

Pattern: Defense in Depth

Apply rate limiting at multiple layers:

Pattern: Token Budget System

Instead of simple request counts, assign costs to operations:

OPERATION_COSTS = {
    'GET /users': 1,
    'GET /search': 5,          # More expensive
    'POST /export': 50,        # Very expensive
    'POST /ml-inference': 100, # Resource-intensive
}

def check_budget(user_id: str, operation: str) -> bool:
    cost = OPERATION_COSTS.get(operation, 1)
    
    # User has 1000 tokens per minute
    return token_bucket.consume(
        key=f"budget:{user_id}",
        tokens=cost,
        bucket_size=1000,
        refill_rate=1000/60
    )

This ensures expensive operations are limited more aggressively while allowing many cheap operations.

Pattern: Separate Rate Limit Types

Different limit categories for different purposes:

1. Abuse limits: High bar, protects against attacks
2. Service limits: Medium bar, prevents overload
3. Product limits: Lower bar, implements business rules

Examining how major platforms implement rate limiting provides practical insights.

Case Study 1: GitHub API

GitHub implements sophisticated per-resource rate limiting:

Authenticated users:
  - Core API: 5,000 requests per hour
  - Search API: 30 requests per minute
  - GraphQL: 5,000 points per hour (complexity-based)
  
OAuth Apps:
  - 5,000 requests per hour per user
  - Can request higher limits
  
GitHub Actions:
  - Separate limits per workflow
  - Concurrency limits per repository

Key insight: Different resources have different limits—search is expensive so gets stricter limits.

Case Study 2: Cloudflare Rate Limiting

Cloudflare operates at edge, processing millions of requests per second:

1. Edge enforcement: Limits computed at edge, no central coordination
2. Sampling: For very high-rate attacks, sample 1% of requests to estimate
3. Challenge ladder: 429 → CAPTCHA → JavaScript challenge → block
4. Machine learning: Detect patterns and auto-create limits

Key lesson: At extreme scale, exact counting is impossible—sampling and estimation become necessary.

Case Study 3: Netflix Circuit Breakers

Netflix combines rate limiting with circuit breakers (Hystrix pattern):

1. Rate limiting prevents gradual overload
2. Circuit breakers detect failures and fail fast
3. Bulkheads isolate failures to prevent cascade
4. Fallbacks provide degraded service

This defense-in-depth approach handles both traffic quantity and backend health.

We've comprehensively explored rate limiting—the practice of applying traffic shaping principles to protect systems, ensure fairness, and implement business policies.

What's Next:

With rate limiting mastered, we'll complete our traffic shaping journey by exploring QoS (Quality of Service) Implementation—how traffic shaping technologies are combined to deliver differentiated service quality across network infrastructure.