Skip to main content
Intelligent Rate Limiting is included by default in Device Fingerprinting decisioning, and no additional implementation is required.

Overview

Intelligent Rate Limiting (IntRL) automatically limits traffic based on device risk. To protect your application, IntRL analyzes device and traffic sub-signals and adds friction to high velocity traffic.

How it works

High-velocity traffic from a single origin is often an indicator of fraudulent activity. Traditional rate limiting methods rely on simple origin identifiers like IP address. These are easily circumvented by sophisticated actors and can result in unintended rate limiting of good users sharing common IPs in settings like workplaces or university campuses. Intelligent Rate Limiting combines signals to create a stable and highly unique targeting method for high velocity attacks. It automatically adds increasing levels of friction to those attacks through our verdict response in Fingerprint Lookup calls. For suspicious fingerprints that are not associated with any known hardware and software configuration, Intelligent Rate Limiting also sets lower rate limits, which caps the impact of novel attacks without penalizing real users with unusual devices. IntRL introduces three new verdict.reasons[] values that map to detected anomalies:
ReasonActionDurationDescription
SMART_RATE_LIMIT_WARNINGCHALLENGE60 minutesHigher than normal velocity from a single origin; a CHALLENGE verdict will be returned for the next 60 minutes for the offending signal set.
SMART_RATE_LIMIT_EXCEEDEDBLOCK60 minutesHigh velocity or abnormal traffic patterns; a BLOCK verdict will be returned for the next 60 minutes for the offending signal set.
SMART_RATE_LIMIT_BANNEDBLOCK24 hoursExtremely high velocity; a BLOCK verdict will be returned for 24 hours for the offending signal set.
Once the relevant time period has passed, the offending origin (as determined by Device Fingerprinting signals) will be eligible to move back to a less restrictive status.

Sample response

{
	"created_at": "2024-08-24T07:00:00Z",
	"expires_at": "2024-08-24T07:05:00Z",
	"fingerprints": { ... },
	"status_code": 200,
	"telemetry_id": "026ac93b-8cdf-4fcb-bfa6-36a31cfecac1",
	"verdict": {
		"action": "BLOCK",
		"detected_device_type": "INTEL_WINDOWS_CHROME",
		"is_authentic_device": true,
		"reasons": ["SMART_RATE_LIMIT_EXCEEDED"]
	}
}

Usage & considerations

There are some potential considerations depending on your integration with Device Fingerprinting:

Different weights for different reasons

If you use Device Fingerprinting as an input to your own risk engine, you may want to explicitly weight the Intelligent Rate Limiting verdict reasons as higher risk.

Verdict reasons are dynamic

These verdict.reasons are dynamic, stateful, and change over time. This means that:
  • We don’t recommend that you automatically ban via permanent Rules for these verdict.reasons, but they do indicate that you should investigate more deeply and potentially take action.
  • If your risk engine correlates Device Fingerprinting results to IP addresses within your risk framework, we recommend that you do not permanently ban IP addresses based on IntRL verdict.reasons. These verdicts may change over time as traffic patterns change.