2026-06-04 · 6 min read
Low-and-Slow Attacks: The Abuse Pattern That Rate Limiting Misses
How distributed low-volume attacks evade rate limiting and what behavioral signals expose them.
The rate-limiting blind spot
Rate limiting works by counting requests from an identity within a time window. Low-and-slow attacks are designed around this: by distributing requests across a large IP pool and spacing them over time, the attack stays permanently below any reasonable per-IP threshold.
A credential stuffing campaign using 50,000 IP addresses and testing one credential pair per IP per hour produces zero rate limit triggers while testing 1.2 million credentials per day.
Behavioral signals that persist across IPs
Individual requests in a low-and-slow attack still carry signals that rate limiting ignores. The request composition — header set, user-agent pattern, session behavior, navigation path — tends to be consistent across all requests in the campaign regardless of which IP they arrive from.
These per-request signals are independent of volume. They are present on the first probe and the ten-thousandth. A trust evaluation that reads request context rather than request count can detect the pattern that rate limiting cannot.
Aggregate signals and campaign detection
Individual request signals catch individual bad requests. Campaign-level signals — sudden changes in the distribution of request characteristics arriving at a specific endpoint — catch coordinated attacks that any single request might pass.
Combining per-request trust evaluation with endpoint-level anomaly monitoring provides coverage across both dimensions: individual requests that look suspicious and aggregate patterns that indicate a coordinated campaign.