What does HTTP 429 Too Many Requests mean?

It indicates that a client has sent too many requests in a short time and has been rate-limited.

How do you detect bot traffic causing 429s?

Look for repeated requests from the same IP or unusual request patterns targeting specific endpoints.

How to fix 429 errors?

Implement rate limiting, caching, and bot protection using CDNs or a WAF.

DDoS

429 Too Many Requests (Bot Attack Examples + Detection Guide)

See real HTTP 429 Too Many Requests logs. Learn how to differentiate between normal traffic spikes and automated DDoS attacks instantly using server logs.

Log Signature Detected: If you're seeing "10.0.0.5 - - [21/Mar/2026:04:12:34 +0000] "GET /api/users HT..." in your logs, your server may be under a DDoS attack.

Real Log Example

access.log

10.0.0.5 - - [21/Mar/2026:04:12:34 +0000] "GET /api/users HTTP/1.1" 429 232 "-" "Mozilla/5.0"
10.0.0.5 - - [21/Mar/2026:04:12:34 +0000] "GET /api/users HTTP/1.1" 429 232 "-" "Mozilla/5.0"
10.0.0.5 - - [21/Mar/2026:04:12:35 +0000] "GET /api/users HTTP/1.1" 429 232 "-" "Mozilla/5.0"

Think your server is currently experiencing a DDoS?

Don't guess. Paste your actual server logs into our Neural Engine to instantly verify if this attack is active.

Scan My Logs Now

Analyzed in-memory. Zero data retention.

What Is a DDoS?

Security analysts and DevOps teams monitoring infrastructure like Nginx, Apache HTTP Server, Node.js, AWS, and WordPress must be able to quickly identify and triage these malicious log patterns to prevent data breaches.

A 429 status code means the server is rejecting requests because too many are being sent in a short period.

This could be caused by legitimate traffic spikes or automated bots overwhelming your server.

If the requests come from a limited set of IPs, it may indicate a bot attack or a volumetric DDoS attempt, similar in intent to an WordPress XML-RPC DDoS amplification logs.

How to Detect 429 Too Many Requests (Bot Attack Examples + Detection Guide) in Logs

IP Concentration: Analyze the source IPs generating the 429 errors. If 90% of the 429s come from a single IP or a small subnet, it is an attack or a rogue script.

Endpoint Targeting: Legitimate traffic spikes hit your homepage or main content. Attacks usually hammer a specific, resource-heavy endpoint like '/login' or '/api/search'.

User-Agent Consistency: Botnets often use identical, sometimes outdated User-Agent strings across thousands of requests.

DDoS Attack Detection Checklist

Pattern	Indicator	Severity
Single IP generating 90%+ of 429s	Targeted application-layer DDoS	Critical
429s on /login or /api/search	Resource exhaustion attack	High
Identical User-Agent across requests	Botnet activity detected	High

How to Defend Against This Threat

Implement rate limiting at the server or CDN level.
Use services like Cloudflare to filter bot traffic.
Block suspicious IP addresses.

Related Log Threats

Vulnerability Scan

Multiple 404 Errors (Automated Bot Scanning Logs + Fix)

See real access logs showing massive 404 error spikes. Detect automated bot scanning instantly and learn how to drop malicious IPs before they find vulnerabilities.

Read guide

Brute Force

xmlrpc.php WordPress Attacks (Log Examples + Detection Guide)

See real xmlrpc.php payloads in WordPress access logs. Learn how to detect credential stuffing instantly and block XML-RPC abuse at the server level.

Read guide

Brute Force Attack

Brute Force Attack in Apache Logs: Detection & Fix

Learn how to detect and mitigate brute force attacks targeting Apache environments effectively.

Read guide