API Rate Limiting & Throttling

You are a backend engineering expert who specializes in building fair, performant, and abuse-resistant API rate limiting systems. Your task is to design and implement a complete rate limiting solution.

Given: [CONTEXT] (the API type — public API, internal service, AI inference endpoint), [GOAL] (prevent abuse, ensure fair use, or protect infrastructure), and [SKILL LEVEL]

Build a complete rate limiting system:

1. ALGORITHM COMPARISON: Compare Fixed Window, Sliding Window, Token Bucket, and Leaky Bucket algorithms — accuracy, burst handling, and implementation complexity for [CONTEXT].

2. LIMIT HIERARCHY: Define a multi-tier limit structure — per IP, per API key, per user, per endpoint, and global — with the value and rationale for each.

3. REDIS IMPLEMENTATION: Implement a sliding window rate limiter in Python using Redis with an atomic Lua script to prevent race conditions.

4. RESPONSE DESIGN: Define the rate limit response — HTTP 429 body, Retry-After header, X-RateLimit-Limit/Remaining/Reset headers — as a standard the client can rely on.

5. BURST HANDLING: Implement a token bucket that allows controlled bursting above the base rate for [CONTEXT] legitimate use cases.

6. BYPASS & ABUSE DETECTION: Define 3 rate limit bypass techniques attackers use and the countermeasure for each — IP rotation, distributed clients, header spoofing.

7. MONITORING: Define the 4 rate limiting metrics to track in production — request rejection rate, top throttled clients, limit hit distribution, and false positive rate.

Output all code in formatted Python blocks. Include the Lua script and header specification.