IP-Based Rate Limiting — Complete Client IP Throttling Guide
In this tutorial, you will learn about IP. We cover key concepts, practical examples, and best practices to help you master this topic.
IP-based Rate Limiting tracks request counts per source IP address. It is the simplest approach and works without requiring authentication, making it suitable for public APIs.
What You'll Learn
You'll learn how to implement IP-based rate limiting, handle proxies and load balancers, and its limitations.
Why It Matters
IP-based limiting works for any client without requiring API keys or login. It is the first line of defense against abusive traffic.
Real-World Use
A public API rate limits anonymous requests to 10 per minute by IP. Authenticated requests have higher limits. This prevents scrapers from overwhelming the API while allowing legitimate use.
Implementation
from flask import Flask, request, jsonify
import time
from collections import defaultdict
app = Flask(__name__)
ip_limits = defaultdict(list)
@app.route("/api/data")
def get_data():
client_ip = request.remote_addr
now = time.time()
window = 60
ip_limits[client_ip] = [
t for t in ip_limits[client_ip] if now - t < window
]
if len(ip_limits[client_ip]) >= 10:
return jsonify({"error": "Rate limit exceeded"}), 429
ip_limits[client_ip].append(now)
return jsonify({"data": "success"})
Common Mistakes
| Mistake | Fix | |---------|-----| | Using X-Forwarded-For without verification | IP spoofing | Verify proxy header authenticity | | Not handling IPv6 | All IPv6 traffic appears from /64 range | Rate limit on /64 subnet | | Corporate NAT (all employees same IP) | Office users blocked as one | Use user-based limits when auth available | | No IP rotation detection | Attackers rotate IPs | Combine with behavioral analysis | | Not cleaning old IP entries | Memory leak | Set TTL or periodic cleanup |
What's Next
Learn about user-based rate limiting.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro