Rate Limiting Alone isn't Enough

Summary

Falcon is a note-taking application I developed in the summer of 2024 to enhance my study process. It allows for quick note-taking, whether for transferring the content to a more structured format later or simply for future reference. You can try Falcon here.

To safeguard the app and ensure its availability, I implemented rate limiting to prevent bots from consuming VPS resources or overloading the disk. However, I later realized that this measure alone was not sufficient.

The Registration Process

Registering for Falcon is simple and straightforward. Just provide your email address, wait a few seconds, and you'll receive an email containing a password to access the app.

The Damage Done

I later discovered that the database contained numerous registered but inactive users, prompting me to investigate further. It quickly became clear that this was malicious behavior, as all the accounts were created within the same timeframe and adhered to the rate limit I had set.

Upon checking the app's mailbox, I found that many of the "registered" emails had not been delivered, while others had.

When I attempted to create a new account myself, I was surprised to find that the registration email went straight to the spam folder.

Which means that the threat actors behavior has damaged the reputation of the app’s email address, which could severely impact the business and its profitability (if this was an actual business of course xD).

The Mitigation

The solution was straightforward: I implemented reCAPTCHA to address the issue. I chose reCAPTCHA v3, which is invisible to website visitors and does not require solving challenges. Instead, it continuously analyzes visitor behavior to distinguish humans from bots.

It’s worth noting that reCAPTCHA is free for up to one million API calls per month. While a sophisticated threat actor could potentially bypass it through prolonged effort, the combination of reCAPTCHA and the existing rate limiting provides sufficient protection for now.