So, i've been exploring the RateLimiter facade on laravel 12, and i'm wondering if the rate limiter actually helps/protects against any type of DDoS/brute-force attacks or it just restricts the user from seeing some specific part of your application?
The rate limiter will do as it says on the tin.. it'll limit the rate at which you can access things.
A common use-case would be a login/2fa form for example, so yup, if you're looking to help against brute-force attacks, it would help.
As for DDoS, it's not going to help as to perform the rate limiting, the network traffic is still hitting your server/application. To help mitigate DDoS attacks, you'll want hardware equipment on the edge of your network that would prevent the traffic from hitting your server completely.
thx for the explanation, i've set the global rate limit of my app to 500, but i assume that's a lot when we're talking about a login form, do you think i should lower it for these specific parts of the website? or i should be good
I think it all depends on what your app does and exactly how you want to control it. Does everywhere on the site need a limiter? or is it only certain areas that really require it? Does your app also cater for different "levels of user" (ie: you might want to rate limit guest access, but allow paid (or higher tier) users less restrictive access?)
I would personally set a limit for logins separately and lower it however, as this is probably something you'll want a finer set of controls over, maybe also including decay times.
@dev-abraao You should be applying specific rate limiters when the situation calls for it, yes. So the example of a login form is a good one of where you’d want a less lax limit than your “global” one. If someone is hammering your login form many times a minute, then there’s a good chance it’s a bot or some other automated process performing a credential stuffing attack.
got it, i'm currently messing around in my application and it seems that when it reaches the rate limit, its returning the message error like it should, but the post request is popping in the network tab anyway, its this a normal behavior or am i missing something?
RateLimiter::for('login', function (Request $request) {
$key = 'login.' . $request->ip() . '|' . ($request->input('email') ?? 'anonymous');
return Limit::perMinute(5)->by($key)->response(function() use ($request) {
return redirect()->back()
->withErrors(['error' => 'Muitas tentativas de login. Aguarde alguns minutos.'])
->withInput($request->only('email'));
});
});
