Anthropic-Cybersecurity-Skills/skills/implementing-api-abuse-detection-with-rate-limiting/references/api-reference.md

API Reference: Implementing API Abuse Detection with Rate Limiting

Redis Token Bucket (Python)

import redis, time
r = redis.Redis()

# Lua-based atomic token bucket
lua = """
local tokens = tonumber(redis.call('HGET', KEYS[1], 'tokens') or ARGV[1])
local last = tonumber(redis.call('HGET', KEYS[1], 'last') or ARGV[3])
local elapsed = ARGV[3] - last
tokens = math.min(tonumber(ARGV[1]), tokens + elapsed * tonumber(ARGV[2]))
if tokens >= 1 then
    tokens = tokens - 1
    redis.call('HMSET', KEYS[1], 'tokens', tokens, 'last', ARGV[3])
    return 1
end
return 0
"""
allowed = r.eval(lua, 1, f"rl:{client_ip}", max_tokens, refill_rate, time.time())

Rate Limit Response Headers

Header	Description
X-RateLimit-Limit	Maximum requests allowed
X-RateLimit-Remaining	Requests remaining
X-RateLimit-Reset	Unix timestamp when limit resets
Retry-After	Seconds until client can retry

NGINX Rate Limiting

limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
location /api/ {
    limit_req zone=api burst=20 nodelay;
    limit_req_status 429;
}

Abuse Detection Thresholds

Attack Type	Indicator	Threshold
Brute Force	Auth failures/IP	> 10 in 5 min
Credential Stuffing	Unique users/IP	> 20
API Scraping	Requests/IP	> 500/hr
Rate Bypass	User-Agent rotation	> 10 unique UAs

Flask-Limiter

from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

app = Flask(__name__)
limiter = Limiter(get_remote_address, app=app, default_limits=["100/minute"])

@app.route("/api/login")
@limiter.limit("5/minute")
def login():
    pass

References

• Redis Rate Limiting: https://redis.io/glossary/rate-limiting/
• Flask-Limiter: https://flask-limiter.readthedocs.io/
• IETF RateLimit Headers: https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/