Systems, methods, and software for operating a content delivery node to monitor requests for content transferred by at least an end user device to detect when the requests comprise an attack on the content delivery node. Responsive to detecting the attack on the content delivery node, the content delivery node establishes a rate limit in the content delivery node on at least the requests for the content associated with the end user device, and transfers an indication of the attack comprising the rate limit for delivery to another content delivery node that directs the other content delivery node to apply the rate limit to further requests for the content before the further requests are received by the other content delivery node.