If you are self hosting, use a WAF, CDN or firewall to rate limit access to FusionAuth.

If you are using FusionAuth Cloud, we have protection in place to ensure customers don’t get DDoSed; additionally, all customer servers are monitored for responsiveness and availability.

If you need more rate limiting options, we're working on it: https://github.com/FusionAuth/fusionauth-issues/issues/905