Preventing DoS, DDoS and Brute-Force Attacks on Our Way


Both attacks work in a similar way: They both make requests simultaneously to the server. So the main priority is to detect a requester and then stop it in a certain period of the time limit. The main target is to limit the number of requests for a particular user.

Support Us




1. reCAPTCHA solution

This is one of the common solutions, which works only for login/register forms or any other post methods, so the attacker will not be able to randomly post requests.

reCAPTCHA form

But our main concern is not to do that. We want to limit the request for a particular time, so this is not the solution for our requirement. We don’t want someone to keep our system busy.

2. Rate limiter

A rate limiter can limit a client for a particular time no matter what they are doing. For a real client or script, every request will be limited. A rate limiter is also known as incremental delay or request throttling. Here are some fundamentals of a rate limiter.

  • A rate limiter can control the incoming and outgoing traffic.
  • This can limit the number of requests for a specific user.
  • This helps to prevent brute-force/DoS/DDoS attacks.

Let’s make our own.

Here I am going to use an npm package called Express Rate Limit. I will build a simple project with Express. For other frameworks, there are several rate limiter packages that you will find through Google.

Here is a simple Express API for our experiment.

Here we have two APIs. One is getting and another posting, and there is no restriction for any API. We can request the API thousands of times. This is the main risk for a login or other sensitive APIs.

Let’s limit the API.

Here we are using Express Rate Limit because we are using Express here. This example shows us the use of a rate limiter.

const rateLimit = require("express-rate-limit");// windowMS is the time in milliseconds we are limiting for.
// max is the limit a user can request in the particular time
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs

// apply to all requests

Let’s configure our API.

Does it work?

For the first five requests here is the result. We got the success message that we expected, and the status code is 200.

Postman request

Now we have exceeded our limit, so let’s see again. We got our custom message that we configured in the rate limiter, and also we see the status code is 429. So our API endpoint is finally limited.

Postman request


Leave a comment

Your email address will not be published. Required fields are marked *