Implement request rate limiting to prevent DDoS attacks

Security Enhancement: Rate Limiting

Background

On December 20, 2025, we detected suspicious traffic patterns:

14:30 UTC: Normal traffic: 1,000 RPS
14:35 UTC: Suspicious spike: 15,000 RPS from 200 IPs
14:40 UTC: Traffic continues: 18,000 RPS
14:45 UTC: Manual intervention: Blocked IP range

Impact:

• Legitimate users experienced 503 errors
• Database connection pool exhausted (related to #8)
• $2,300 revenue impact (15 minutes)

Solution

Implement rate limiting with Redis:

@RateLimit(limit = 100, window = 60)  // 100 req/min per IP
public ResponseEntity<User> getUser(@PathVariable String id) {
    return userService.getUser(id);
}

Rate Limits:

• Anonymous: 100 req/min per IP
• Authenticated: 1,000 req/min per user
• Premium: 5,000 req/min per user
• Burst allowance: 2x limit for 10s

Implementation

1. Add spring-boot-starter-data-redis
2. Implement @RateLimit annotation with AOP
3. Use Redis INCR with TTL for sliding window
4. Return HTTP 429 with Retry-After header
5. Add Grafana dashboard for rate limit violations

Testing

# Load test with 10,000 RPS
k6 run --vus 100 --duration 5m rate-limit-test.js

Expected:
- First 100 requests: 200 OK
- Subsequent requests: 429 Too Many Requests
- Retry-After header: 60 seconds

Related

• Related: #8 (Database connection pool exhaustion)
• Related: streaming-service#7 (Circuit breaker)