{"id":1620,"date":"2026-04-11T14:54:41","date_gmt":"2026-04-11T14:54:41","guid":{"rendered":"https:\/\/abilit.eu\/?page_id=1620"},"modified":"2026-04-12T08:41:29","modified_gmt":"2026-04-12T08:41:29","slug":"rate-watcher-rate-limit-throttling-anomaly-detection","status":"publish","type":"page","link":"https:\/\/abilit.eu\/index.php\/offer\/concept-area\/rate-watcher-rate-limit-throttling-anomaly-detection\/","title":{"rendered":"Rate Watcher \u2014 Rate\u2011Limit, Throttling &#038; Anomaly Detection"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n<h2 class=\"wp-block-post-title\">Rate Watcher \u2014 Rate\u2011Limit, Throttling &#038; Anomaly Detection<\/h2>\n\n\n<p class=\"wp-block-paragraph\">A focused service for detecting abnormal request\/operation rates, enforcing rate limits and triggering automated or human responses. Designed to protect APIs, probes and critical endpoints from bursts, floods and slow\u2011burn anomalies.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-c7ebd8d6 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Real\u2011time rate aggregation (per API key, IP, user, route, or service) with sliding windows and configurable buckets.<\/li>\n\n\n\n<li>Adaptive thresholds using baseline learning and seasonality-aware profiles to reduce false positives.<\/li>\n\n\n\n<li>Multiple enforcement modes: monitor, soft\u2011throttle (429), hard\u2011block, and graceful backoff signalling (Retry\u2011After header).<\/li>\n\n\n\n<li>Integration with API gateways, load\u2011balancers and WAFs (NGINX, Envoy, HAProxy, Traefik).<\/li>\n\n\n\n<li>Alerting &amp; automated remediation: escalate to Watchdog, trigger temporary IP bans, or open incident tickets.<\/li>\n\n\n\n<li>Audit logs and metrics exported to Prometheus\/Grafana for historical analysis and compliance.<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-column has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"border-top-left-radius:42px;border-top-right-radius:42px;border-bottom-left-radius:42px;border-bottom-right-radius:42px;background-color:#f8fbff;padding-top:0;padding-bottom:0;flex-basis:33.33%\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-094d544d wp-block-group-is-layout-constrained\" style=\"border-top-left-radius:27px;border-top-right-radius:27px;border-bottom-left-radius:27px;border-bottom-right-radius:27px;padding-top:var(--wp--preset--spacing--x-small);padding-right:var(--wp--preset--spacing--x-small);padding-bottom:var(--wp--preset--spacing--x-small);padding-left:var(--wp--preset--spacing--x-small)\">\n<h4 class=\"wp-block-heading\">Quick facts<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Package:<\/strong> Rate Watcher v<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Modes:<\/strong> monitor, soft\u2011throttle, hard\u2011block<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Download:<\/strong><a href=\"https:\/\/abilit.eu\/&lt;!-- TODO: DOWNLOAD LINK --&gt;\">Get package<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">How Rate Watcher works<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Rate Watcher ingests request events or aggregated counters (from gateway logs, sidecars or Prometheus) and evaluates them against configured rules and learned baselines. It supports:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multiple keying strategies (API key, client IP, user ID, route).<\/li>\n\n\n\n<li>Sliding window and fixed bucket algorithms for short and long windows (e.g., 1s, 10s, 1m, 1h).<\/li>\n\n\n\n<li>Exemptions and whitelists for internal systems and critical clients.<\/li>\n\n\n\n<li>Rate\u2011limit policies with tiered actions and automatic cooldown timers.<\/li>\n\n\n\n<li>Behavioral anomaly detection that compares current rate to historic baseline and seasonality profile.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example policies &amp; configuration<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use policy templates to quickly apply standard protections and tune per service.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-contrast-color has-text-color has-background has-link-color wp-elements-14720529113ce57b48e979443921d7b1\" style=\"background-color:#f6f9ff\"># Example policy (YAML) policies: - id: api_public_default key: api_key windows: - window: 1s limit: 20 action: soft-throttle - window: 1m limit: 1000 action: monitor baseline_learning: 14d exempt_clients: [\"internal-service-1\"] <\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Adaptive policy example: start in monitor mode for 7 days to learn baseline, then enforce soft\u2011throttle if burst profile exceeds 3\u00d7 normal.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Integration &amp; enforcement<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API Gateway: use Rate Watcher as an external policy engine (RP calls) or as a sidecar for local enforcement.<\/li>\n\n\n\n<li>WAF &amp; LB: push decisions (block\/throttle) to WAF rules or LB ACLs for immediate action.<\/li>\n\n\n\n<li>Watchdog: when abnormal sustained rates are detected, trigger Watchdog maintenance mode or automated scaling playbook.<\/li>\n\n\n\n<li>Incident systems: open tickets in ServiceNow \/ PagerDuty when P0 thresholds hit.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Metrics &amp; dashboards<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Expose these metrics to Prometheus for dashboards and alerting:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ratewatcher_requests_total{policy,key,action}<\/li>\n\n\n\n<li>ratewatcher_throttled_total{policy,key}<\/li>\n\n\n\n<li>ratewatcher_blocked_total{policy,key}<\/li>\n\n\n\n<li>ratewatcher_baseline_deviation{policy,window}<\/li>\n\n\n\n<li>ratewatcher_policy_eval_duration_seconds{policy}<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Suggested Grafana panels: top throttled clients, policy hit heatmap, baseline vs actual rate overlays, throttling impact on latency.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Alerting &amp; runbooks<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Define alert severities for burst vs sustained anomalies. Example rules:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>P0 \u2014 sustained blocked rate &gt; X% of total traffic for &gt; 5m \u2192 page on\u2011call, trigger Watchdog.<\/li>\n\n\n\n<li>P1 \u2014 burst above 10\u00d7 baseline for specific key \u2192 open ticket to investigate client misbehaviour.<\/li>\n\n\n\n<li>P2 \u2014 repeated soft\u2011throttle events for non\u2011exempt client \u2192 notify team via Slack\/email.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start in monitor mode to collect 7\u201314 days of baseline data before enforcing hard limits.<\/li>\n\n\n\n<li>Maintain owner whitelists and emergency bypass tokens for critical traffic.<\/li>\n\n\n\n<li>Provide clear client feedback headers (Retry\u2011After, X\u2011RateLimit\u2011Reset) and API docs about limits.<\/li>\n\n\n\n<li>Automate cooldown and auto\u2011unblock after verification windows to reduce manual toil.<\/li>\n\n\n\n<li>Periodically review and tune policies based on seasonal patterns (business hours, campaigns).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security &amp; compliance<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Keep audit trails of enforcement decisions and store them in tamper\u2011evident logs for investigations and compliance. Mask PII in logs and follow retention rules.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Deployment &amp; scaling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scale horizontally: shard keyspace by hash (e.g., key \u2192 shard) and use consistent hashing for sticky routing.<\/li>\n\n\n\n<li>Use local caching for ultra\u2011low latency enforcement and eventual consistency to the central policy store.<\/li>\n\n\n\n<li>Provide high\u2011availability policy store (etcd\/consul) and replicate learning models across nodes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI examples<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted has-contrast-color has-text-color has-background has-link-color wp-elements-d18ef0791fa9d854163bbd5fd7d966c0\" style=\"background-color:#f6f9ff\"># Scan incoming logs and push counters to Rate Watcher ratewatcherctl ingest --source \/var\/log\/gateway\/access.log --format nginx --policy-map \/etc\/ratewatcher\/policies.yaml\nEvaluate a specific key against policies (dry-run)\n\nratewatcherctl eval --policy api_public_default --key \"api-key-123\" --window 1m --count 1500\nApply a temporary block on a client\n\nratewatcherctl action block --key \"bad-client-ip\" --duration 3600 --reason \"sustained flood\"\n<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Abil\u2019I.T. \u2014 Rate Watcher<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Contact: <a href=\"mailto:ops@abilit.eu\">ops@abilit.eu<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A focused service for detecting abnormal request\/operation rates, enforcing rate limits and triggering automated or human responses. Designed to protect APIs, probes and critical endpoints from bursts, floods and slow\u2011burn anomalies. Core capabilities Quick facts Package: Rate Watcher v Modes: monitor, soft\u2011throttle, hard\u2011block Download:Get package How Rate Watcher works Rate Watcher ingests request events or [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"parent":1547,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1620","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/pages\/1620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/comments?post=1620"}],"version-history":[{"count":3,"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/pages\/1620\/revisions"}],"predecessor-version":[{"id":1650,"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/pages\/1620\/revisions\/1650"}],"up":[{"embeddable":true,"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/pages\/1547"}],"wp:attachment":[{"href":"https:\/\/abilit.eu\/index.php\/wp-json\/wp\/v2\/media?parent=1620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}