How Bots Bypass Rate Limits
in Real-World APIs

1. IP Rotation (Low and Slow)

The most common technique is using a massive pool of residential proxies. By rotating through thousands of IPs, a bot can hit your endpoint 100,000 times while each individual IP only sends 2-3 requests—staying well below any standard rate limit threshold.

2. Header Spoofing

Bots often spoof `X-Forwarded-For` or `CF-Connecting-IP` headers to trick poorly configured load balancers into rate limiting the wrong IP, or worse, the load balancer's own internal IP.

3. Distributed State Attacks

Attackers now coordinate across different providers. Some traffic comes from AWS (the "recon" bots), while the "attack" bots use residential networks. They spread the load so perfectly that your logs look like a spike in organic traffic.

Beyond the IP: Use Signal Multi-Tenancy

To stop these attacks, you need to look beyond the IP address. You need to analyze the **ASN Governance**, the **Connection Type**, and the **Behavioral Intent** of the request.

Sentinel tracks "Global Velocity" across our entire network. If an IP rotated out of an attack on one platform and hits your API 30 seconds later, we already know it's Untrusted.