I recently needed to limit access frequency to a specific page/web method when the visit count hits certain threshold, so I came up with this approach of caching the hit count and implementing an IActionFilter on a FilterAttribute to intercept the requests and act on them accordingly.

I believe this is also one known step to overcome the infamous DDoS attack. Now this approach I'm talking about handles two types of user:

• Potentially malicious users
• Regular users constantly hitting certain page or invoking certain method (with no bad intention of course)

When it is the former one, the way I would handle this in a slightly distinct manner is I will redirect the bad guy to some external warning page and drive them out at once! Otherwise, prompt them to come back later after some coffee break.

On the demo login page, simply keep on hitting the login button consecutively (threshold is configurable) and get warned about the login attempt cap. Persistent enough? Keep on doing it and get a revelation!