All posts

Someone Hit Our API 50,000 Times In A Minute And I Respect It

The logs showed 50,000 requests in 60 seconds. All from the same IP. All to the same endpoint. All with slightly different parameters, like they were searching for something.

I wasn’t even mad. I was impressed.

The Attack

GET /api/users/1
GET /api/users/2
GET /api/users/3
...
GET /api/users/50000

They were enumerating our entire user database through an endpoint that definitely should have had authentication. It didn’t. That’s on me.

The Response

class RateLimiter:
    def __init__(self):
        self.requests = {}

    def is_allowed(self, ip):
        # Check if IP has made too many requests
        count = self.requests.get(ip, 0)
        if count > 100:
            return False  # lol no
        self.requests[ip] = count + 1
        return True

The Aftermath

We now have:

  • Rate limiting (100 requests/minute)
  • Authentication on that endpoint
  • A Slack alert for “suspicious activity”
  • Grudging respect for whoever did this

The Lesson

If you don’t rate limit your API, someone will stress test it for you. For free. At 3am. When you’re on call.

To the mystery requester: thanks for the audit. Hope you found what you were looking for.