Yes, Ory Kratos provides protection against brute-force attacks by rate limiting requests to API public endpoints, such as login and registration endpoints. This is part of the platform's security infrastructure when using Ory Network. However, if you're self-hosting the Ory Kratos Identity Server, it's the responsibility of the administrator to implement and manage rate limiting or other measures to ensure the security of the network. If you need help with this task, you can reach out to [Ory Support](https://www.ory.sh/support/). If you're using the Ory Client SDK and receiving a 429 "Too Many Requests" error, it's likely that your application is hitting these rate limits. You may need to adjust your stress testing strategy to avoid hitting these limits, or if you're self-hosting, you may need to adjust the rate limiting settings on your Ory Kratos Identity Server. For more information, you can refer to the [Ory Kratos Security Documentation](https://www.ory.sh/docs/kratos/concepts/security).

The extracts provided do not specify the exact mechanism of how rate limiting works in Ory Network. However, it is mentioned that Ory Network provides protection against brute-force attacks by rate limiting requests to API public endpoints. In addition, Ory Network also combats bot and other automated attacks with bot detection and suspicious IP throttling. This is done by leveraging the Cloudflare Web Application Firewall (WAF) and Cloudflare Bot Management services. While it's not explicitly stated, it's reasonable to infer that the rate limiting could be based on IP, especially given the mention of "suspicious IP throttling". However, for a definitive answer, you may want to reach out to [Ory Support](https://www.ory.sh/support/). For more information, you can refer to the [Ory Kratos Security Documentation](https://www.ory.sh/docs/kratos/concepts/security).