Aggregated Rate Limiting Defends Against Large-Scale and DDoS Attacks

Rate limiting has always been one of the unsung heroes of application security. It quietly works in the background to stop brute-force login attempts, throttle abusive API calls, and keep sudden spikes of suspicious traffic from overwhelming infrastructure. 

Unfortunately, attackers don’t stand still, they adapt. With the prevalent use of open proxies and cloud infrastructure, today’s attackers can launch not just volumetric but also highly distributed and multi-vector distributed denial-of-service (DDoS) attacks.    

In 2024, in response to the growing shift in attacker tactics, we started rolling out architectural changes in Akamai rate limiting. These changes are known to our customers as aggregated rate limiting.

The aggregated rate limiting approach enables Akamai to count and apply rate limiting in a much broader request distribution scope than we have done in the past. With this change, security teams can detect and act on coordinated attack patterns that previously blended into normal traffic. This approach:

• Exposes hidden patterns: It provides better visibility into highly distributed attacks that may have gone unnoticed earlier.
• Improves resilience: Organizations can stop evasive Layer 7 DDoS attempts before they escalate into full outages.
• Added flexibility: The new support for client identifiers allows rate enforcement at the per-client level without custom delivery workarounds.
• Reduces complexity: It comes with built-in evaluation mode that builds confidence and helps customers transition to the new architecture with ease.

These benefits go beyond tactical wins. They represent a strategic shift in how organizations can think about traffic management, visibility, and security at scale.

Across industries like retail, travel, and hospitality, this shift in our rate limiting approach is already driving measurable impact:

• A major North American airline surfaced and mitigated tens of millions of malicious requests that had previously gone under the radar. They also became one of the first adopters of new client identification parameters in rate limiting, removing the need for complex, custom logic in their delivery configuration.
• A large hotel group uncovered millions of previously undetected malicious requests once traffic was viewed at the aggregated level — demonstrating the significant value of enhanced DDoS visibility enabled by the new architecture. This broader perspective revealed coordinated activity originating from cloud-hosted infrastructure providers that had previously gone unnoticed.
• A retail brand in Canada saw measurable impact in DDoS detection, gaining critical visibility into abusive traffic patterns tied to DDoS tools hidden in cloud providers. With aggregated rate enforcement, they could mitigate at scale rather than reacting piecemeal.

Transitioning to the powerful new architecture is simple and straightforward. With the use of the built-in evaluation mode, customers can:

• Observe traffic behavior with current thresholds
• Get visibility into outliers or false positives patterns, and make changes as needed
• Move into full enforcement with minimal to no risk once confidence is established

This rollout approach eliminates surprises, ensures legitimate traffic is preserved, and gives organizations peace of mind that defenses are tuned correctly.

With attackers now using distributed, cloud-based infrastructures, the aggregated rate limiting approach represents the future of rate limiting at Akamai. The new architecture provides the visibility, control, and resilience that modern businesses need to protect customer-facing applications and digital experiences.

At Akamai, our mission is to stay one step ahead of adversaries, delivering capabilities that are not only more powerful but also easier to use. Aggregated rate controls show that sometimes the most impactful innovations are not the flashiest — they’re the ones that make security stronger and easier at the same time.