So one of our players has been... looking under the hood of our game and website and noticed that he was able to send 1250 login/email/pw requests to our Playfab API endpoint without any rate limiting.
They pretty much were able to call as many times as they wanted using any combination of email/pw so this could be used for an attack on the playfab account system quite easily.
Those login calls show up in our API graphjic as well so... are there any counter measures in place by Playfab?
Yes, looking at your title, I do see the spike in unsuccessful calls to LoginWithEmailAddress. There actually is rate limiting, you just didn't hit it in this specific case. Rate limiting is per IP Address, but it's also distributed per server. Generally speaking, this means that the rate limiting is sufficient to prevent performance issues. In this case, since they were all failed API calls, there's no effective impact to you. If you have a case where you have calls that are successful, I've provided additional info in this thread (https://community.playfab.com/questions/51780/preventing-account-botting-with-cloudscript.html) on tracking on those individuals so that you can take appropriate action.
We do plan to update the rate limiting in the service as part of work we're doing to move the last components of the service still in AWS into Azure. The team is in the midst of planning for that work right now, so I don't have a specific date just yet.
4 People are following this question.
as seen here