Rate Limiting Lab - Brute Force Protection

📚 What is Rate Limiting?

Rate Limiting is a security control that restricts the number of requests a user can make within a specific time period. It's crucial for preventing:

Brute Force Attacks: Automated attempts to guess passwords, PINs, or tokens
Denial of Service (DoS): Overwhelming the server with requests
Resource Abuse: Excessive use of expensive operations
Credential Stuffing: Testing large lists of stolen credentials

🧪 PIN Verification Demo

📌 Demo Information

Correct PIN: 1234

Try guessing the PIN with and without rate limiting enabled to see the difference!

Enable Rate Limiting (Max 5 attempts, 30 second cooldown)

Enter 4-digit PIN:

Total Attempts

Status:

Ready to test. Try entering a PIN.

🎯 Try This Experiment

With Rate Limiting OFF:
- Try multiple incorrect PINs (e.g., 0000, 1111, 2222, 3333, etc.)
- Notice you can keep trying indefinitely
- This allows brute force attacks (10,000 possible 4-digit combinations)
With Rate Limiting ON:
- Try 5 incorrect PINs
- After 5 attempts, you'll be locked out for 30 seconds
- This makes brute force attacks impractical

🔍 Understanding the Vulnerability

Without Rate Limiting:

                
// ❌ VULNERABLE: No protection against brute force

function verifyPIN(pin) {

  if (pin === correctPIN) {

    return { success: true };

  }

  return { success: false };

}

// Attacker can try all 10,000 combinations!

for (let i = 0; i < 10000; i++) {

  verifyPIN(i.toString().padStart(4, '0'));

}

With Rate Limiting:

                
// ✅ SECURE: Rate limiting implemented

const attempts = {};

function verifyPIN(pin, userId) {

  // Check attempt count

  if (attempts[userId] >= 5) {

    const timeSinceFirst = Date.now() - attempts[userId].firstAttempt;

    if (timeSinceFirst < 30000) { // 30 seconds

      return { error: 'Too many attempts. Try again later.' };

    }

    // Reset after cooldown

    attempts[userId] = 0;

  }

  // Increment attempts

  attempts[userId]++;

  // Verify PIN

  if (pin === correctPIN) {

    return { success: true };

  }

  return { success: false };

}

⚠️ Real-World Impact

Account Compromise: Attackers can guess weak passwords/PINs
Data Breach: Unauthorized access to sensitive information
Financial Loss: Brute forcing payment PINs, OTPs
Service Disruption: Resource exhaustion from automated attacks
API Abuse: Excessive calls to expensive endpoints

Real Example:

A 4-digit PIN has 10,000 possible combinations (0000-9999). Without rate limiting, an attacker could try all combinations in seconds using automation. With rate limiting of 5 attempts per 30 seconds, it would take over 16 hours to try all combinations!

🔒 Rate Limiting Best Practices

Failed Login Attempts: Limit to 3-5 attempts, then lockout/captcha
Password Reset: Rate limit reset requests to prevent email bombing
OTP Verification: Max 3-5 attempts, then invalidate OTP
API Endpoints: Implement per-user and global rate limits
Account Lockout: Temporary lock after repeated failures
Progressive Delays: Increase delay with each failed attempt
CAPTCHA: Require human verification after threshold
IP-based Limiting: Track attempts by IP address
Account-based Limiting: Track attempts per account

📊 Rate Limiting Strategies

Fixed Window: X requests per fixed time period (e.g., 100/hour)
Sliding Window: More accurate, prevents burst attacks at boundaries
Token Bucket: Allows bursts but limits average rate
Leaky Bucket: Smooths out traffic spikes
Adaptive Rate Limiting: Adjusts based on user behavior/patterns

💡 Detection Tips

Test for missing rate limiting:

Try multiple failed login attempts (10+) - are you blocked?
Request password reset multiple times - any limits?
Make rapid API calls - do you get rate limited?
Check response headers for rate limit info (X-RateLimit-*)
Use tools like Burp Intruder to automate testing