Tendril — AI Lessons for Real Life

Tendril

The premise

Describe the endpoint, traffic shape, and abuse mode; the model lays out the tradeoffs of each algorithm so the architect chooses.

What AI does well here

Summarize tradeoffs of common algorithms

Surface failure modes (thundering herd, burst penalty)

Suggest dimensions to key on (user, IP, route)

What AI cannot do

Know your real attack patterns

Predict cost of distributed counters at your scale

Replace measurement with intuition

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-ai-coding-AI-rate-limit-design-review-creators

What is the primary value of using an LLM when choosing a rate limiting algorithm for an API?

To automatically deploy the rate limiter to production
To replace the need for defining abuse patterns
To act as a sounding board that summarizes algorithm tradeoffs
To generate synthetic attack traffic for testing

Which rate limiting algorithm uses a bucket that refills at a constant rate and allows tokens to accumulate up to a maximum capacity?

Fixed window counter
Token bucket
Leaky bucket
Sliding-window counter

In token-bucket rate limiting, what happens when a request arrives and the bucket contains enough tokens to fulfill it?

The bucket overflows and extra tokens are lost
The request is queued until the next window
The request is always denied to preserve tokens
Tokens equal to the request cost are consumed and the request is allowed

Which rate limiting algorithm provides the strongest fairness guarantee by tracking the exact timestamp of every request within the window?

Sliding-window log
Sliding-window counter
Token bucket
Fixed window counter

What is the primary memory disadvantage of sliding-window log compared to other rate limiting approaches?

It requires a database connection
It cannot be distributed across servers
Memory usage grows linearly with the number of requests in the window
It requires storing every HTTP header

A rate limiter keyed only by IP address would fail to protect against which attack pattern?

DNS amplification attacks
A single user sending thousands of requests per second
SQL injection attempts
A distributed botnet where each node stays under the per-IP limit

In rate limiting terminology, what does 'thundering herd' refer to?

When many requests are released simultaneously after a rate limit resets
When a single IP generates excessive traffic
When rate limiting causes legitimate users to retry
When attackers use stolen credentials

What aspect of your specific system can an LLM NOT determine for your rate limiting design?

Common failure modes like burst penalty
Tradeoffs between token-bucket and sliding-window
The actual attack patterns your system will face
The mathematical properties of different algorithms

Which rate limiting algorithm would be most appropriate for an API that needs to allow occasional bursts while enforcing a strict average rate over time?

Fixed window counter
Sliding-window counter
Token bucket
Strict leaky bucket

What is 'burst penalty' in the context of rate limiting algorithms?

When sustained traffic depletes accumulated tokens or credits, causing delays for subsequent requests
A penalty applied to users who exceed the limit
A bonus rate increase for new users
The initial surge of traffic when a service launches

When an LLM recommends keying rate limits on multiple dimensions (e.g., user ID plus IP address), what problem is it trying to mitigate?

Token bucket overflow
False negatives where attackers stay under each individual dimension's limit
Latency in rate limit checks
Memory exhaustion

In a sliding-window counter algorithm, how is the count calculated when the window slides forward?

The count is divided equally among all intervals
The oldest time interval's count is subtracted and the newest interval's count is added
All counters are cleared and started fresh
The count is multiplied by the window size

What must be done to validate a rate limiting design before deploying to production?

Get verbal approval from the team lead
Run traffic samples and load testing
Deploy to a small percentage of users
Write documentation for users

Which algorithm strictly enforces a constant output rate regardless of input patterns?

Token bucket
Leaky bucket
Sliding-window log
Sliding-window counter

An LLM can surface which of the following when reviewing rate limiting designs?

The precise number of users your API will have
Your exact monthly cloud costs for implementation
Failure modes like thundering herd and burst penalty
The exact attack traffic you will receive next month

The premise

Describe the endpoint, traffic shape, and abuse mode; the model lays out the tradeoffs of each algorithm so the architect chooses.

What AI does well here

Summarize tradeoffs of common algorithms

Surface failure modes (thundering herd, burst penalty)

Suggest dimensions to key on (user, IP, route)

What AI cannot do

Know your real attack patterns

Predict cost of distributed counters at your scale

Replace measurement with intuition

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-ai-coding-AI-rate-limit-design-review-creators

What is the primary value of using an LLM when choosing a rate limiting algorithm for an API?

To automatically deploy the rate limiter to production
To replace the need for defining abuse patterns
To act as a sounding board that summarizes algorithm tradeoffs
To generate synthetic attack traffic for testing

Which rate limiting algorithm uses a bucket that refills at a constant rate and allows tokens to accumulate up to a maximum capacity?

Fixed window counter
Token bucket
Leaky bucket
Sliding-window counter

In token-bucket rate limiting, what happens when a request arrives and the bucket contains enough tokens to fulfill it?

The bucket overflows and extra tokens are lost
The request is queued until the next window
The request is always denied to preserve tokens
Tokens equal to the request cost are consumed and the request is allowed

Which rate limiting algorithm provides the strongest fairness guarantee by tracking the exact timestamp of every request within the window?

Sliding-window log
Sliding-window counter
Token bucket
Fixed window counter

What is the primary memory disadvantage of sliding-window log compared to other rate limiting approaches?

It requires a database connection
It cannot be distributed across servers
Memory usage grows linearly with the number of requests in the window
It requires storing every HTTP header

A rate limiter keyed only by IP address would fail to protect against which attack pattern?

DNS amplification attacks
A single user sending thousands of requests per second
SQL injection attempts
A distributed botnet where each node stays under the per-IP limit

In rate limiting terminology, what does 'thundering herd' refer to?

When many requests are released simultaneously after a rate limit resets
When a single IP generates excessive traffic
When rate limiting causes legitimate users to retry
When attackers use stolen credentials

What aspect of your specific system can an LLM NOT determine for your rate limiting design?

Common failure modes like burst penalty
Tradeoffs between token-bucket and sliding-window
The actual attack patterns your system will face
The mathematical properties of different algorithms

Which rate limiting algorithm would be most appropriate for an API that needs to allow occasional bursts while enforcing a strict average rate over time?

Fixed window counter
Sliding-window counter
Token bucket
Strict leaky bucket

What is 'burst penalty' in the context of rate limiting algorithms?

When sustained traffic depletes accumulated tokens or credits, causing delays for subsequent requests
A penalty applied to users who exceed the limit
A bonus rate increase for new users
The initial surge of traffic when a service launches

When an LLM recommends keying rate limits on multiple dimensions (e.g., user ID plus IP address), what problem is it trying to mitigate?

Token bucket overflow
False negatives where attackers stay under each individual dimension's limit
Latency in rate limit checks
Memory exhaustion

In a sliding-window counter algorithm, how is the count calculated when the window slides forward?

The count is divided equally among all intervals
The oldest time interval's count is subtracted and the newest interval's count is added
All counters are cleared and started fresh
The count is multiplied by the window size

What must be done to validate a rate limiting design before deploying to production?

Get verbal approval from the team lead
Run traffic samples and load testing
Deploy to a small percentage of users
Write documentation for users

Which algorithm strictly enforces a constant output rate regardless of input patterns?

Token bucket
Leaky bucket
Sliding-window log
Sliding-window counter

An LLM can surface which of the following when reviewing rate limiting designs?

The precise number of users your API will have
Your exact monthly cloud costs for implementation
Failure modes like thundering herd and burst penalty
The exact attack traffic you will receive next month

AI for Reviewing Rate Limit Design Choices

The premise

What AI does well here

What AI cannot do

End-of-lesson check

AI for Reviewing Rate Limit Design Choices

The premise

What AI does well here

What AI cannot do

End-of-lesson check