Nondescript hacker sitting in front of a laptop in a dark room

Crime no longer is confined to seedy back alleys or only takes place during the dead of night; the internet has become a playground for cybercriminals who don’t have the constraints of time or location. Cybercrime has seen a significant increase in recent years, and along with that has come growing damage recovery costs. The average cost of tackling cybercrime is enormous, and even though we’ve seen cyberattacks happen to major enterprises like Facebook and Equifax, almost half of all cyberattacks happen to small-to-medium enterprises.

SMEs usually don’t have the manpower or technology to tackle sophisticated cyberattacks, and therefore they are more prone to vulnerabilities– and cybercriminals know that. Wright Investment Properties, a Tennessee-based real estate investment and development firm, had over $1 million taken from them due to a cyberattack in the form of a hacked email account. The hacker was able to use the hacked email account to pose as the owner and have the bookkeeper wire money from the firm’s account to China.

Being able to prevent cyberattacks and protect your business’ network resources is extremely important in this era, with business transactions and operations becoming more reliant on IT availability. IT solution providers can offer multiple defenses against cyberattacks, but one that can be very effective is rate limiting.

Rate limiting is an affordable security process that operates by controlling the amount of incoming and outgoing traffic to a website, network or app. Rate limiting works by setting limits for how many requests can be made under specific conditions, allowing you to filter out threats while improving the security and availability of your company’s digital platforms.

One of the types of cyberattacks that rate limiting can help to prevent is known as brute-force login attempts. Brute-force login attempts are when cybercriminals use bots to submit numerous passwords to a system with the goal of eventually guessing the correct one. In 2017, brute-force login attempts had risen by 400 percent.

Rate limiting can be a valuable measure in countering this type of attack; it allows you to limit the amount of login attempts made within a specific timeframe by both users and bots. This makes it extremely difficult for a successful brute-force attack. This can also be more efficient and user-friendly by implementing JavaScript challenges to stop the rate limiting from blocking legitimate users.

Another type of cyberattack that rate limiting can be used to prevent is website scraping. Cybercriminals will use a bot to click through multiple webpages on a website (normally around 100 pages a second) in the hopes of finding vulnerabilities. 

Rate limiting tackles this form of cyberattack by restricting the maximum number of requests an IP address can make to a website in a set amount of time. That helps protect your website from exploitative requests.

API abuse is a very common type of cyberattack, especially when a company has a public-facing API. This is done by cybercriminals sending several ‘get’ or ‘post’ requests in an attempt to overwhelm the origin server resources or internet connectivity bandwidth of a digital platform.

Rate limiting can prevent this from happening by enforcing a limit to the number of requests and the amount of data that can be consumed via your API. However, it is important to set realistic limits to ensure that the rate limiting doesn’t cause a timeout within the API, as this raises the risk of cyberattacks too.

Panera Bread was an unfortunate victim of this type of cyberattack in 2018, where a cybercriminal took advantage of its public API to leak millions of customer records, including names, birthdays, last four digits of credit card numbers, email addresses and physical addresses.

Websites like LinkedIn use rate limiting to thwart attacks like this for themselves and their users. All of its API requests are automatically limited to the amount that can be made within a 24-hour window.

Rate limiting is an important tool in any company’s cybersecurity, and many IT solutions providers offer it in packages of cyber protection. While it can protect from attacks such as brute-force login, website scraping and API abuse, rate limiting also provides another layer of granular control, reduces the number of malicious and unwanted traffic, and provides insights into requests that may be coming from potentially malicious sources.