Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the best way to implement a rate-limiting algorithm for web requests?

Tags:

c#

algorithm

asp.net

throttling

rate-limiting

Possible/partial duplicates:

  • What’s a good rate limiting algorithm?
  • Throttling method calls to M requests in N seconds
  • Best way to implement request throttling in ASP.NET MVC?

I am looking for the best way to implement a moving time window rate limiting algorithm for a web application to reduce spam or brute force attacks.

Examples of use would be "Maximum number of failed login attempts from a given IP in the last 5 minutes", "Maximum number of (posts/votes/etc...) in the last N minutes".

I would prefer to use a moving time window algorithm, rather than a hard reset of statistics every X minutes (like twitter api).

This would be for a C#/ASP.Net app.

like image 580
Lamar Avatar asked Sep 20 '09 03:09

Lamar

People also ask

Which rate limiting algorithm is best?

As you can tell, the sliding window algorithm is the ideal candidate to ensure that the rate limit is strictly adhered to at any given point in time. Since we are storing all the requests in the past 1 minute and looping through the array every time a request reaches, the algorithm consumes much more memory and CPU.

Which rate limit algorithm is used by the Web service?

API limiting, which is also known as rate limiting, is an essential component of Internet security, as DoS attacks can tank a server with unlimited API requests. Rate limiting also helps make your API scalable. If your API blows up in popularity, there can be unexpected spikes in traffic, causing severe lag time.

What's a reasonable way to implement this rate limit policy?

To enforce rate limiting, first understand why it is being applied in this case, and then determine which attributes of the request are best suited to be used as the limiting key (for example, source IP address, user, API key). After you choose a limiting key, a limiting implementation can use it to track usage.

What is rate limiting how will you implement it in the Web API?

The term Rate-Limiting refers to the broader concept of restricting the request traffic to an API endpoint at any point in time. Throttling is a particular process of applying rate-limiting to an API endpoint. There are other ways an API endpoint can apply rate-limiting. One such way is the use of Request Queues.

2 Answers

We found out Token Bucket is better algorithm for this kind of rate-limiting. It's widely used in routers/switches so our operation folks are more familiar with the concept.

like image 73
ZZ Coder Avatar answered Sep 17 '22 23:09

ZZ Coder

Use a fast memory-based hashtable like memcached. The keys will be the target you are limiting (e.g. an IP) and the expiration of each stored value should be the maximum limitation time.

The values stored for each key will contain a serialized list of the last N attempts they made at performing the action, along with the time for each attempt.

like image 30
Fragsworth Avatar answered Sep 17 '22 23:09

Fragsworth
Sign in to Comment

Related questions

How does C#'s random number generator work?
How can I return a JSON result to a Ajax.BeginForm
StaTaskScheduler and STA thread message pumping
Grab a portion of List<string>
How do I delete multiple rows in Entity Framework Core?
How to test method call order with Moq
Windows Event Viewer and log4net
.NET Get timezone offset by timezone name
WPF: the right way to scale a path?
How to test whether a value is boxed in C# / .NET?
Checking if a stream is empty
How to generate a random 10 digit number in C#?
How to ContinueWith another function with result from previous task when using Tasks?
How to register areas for routing
C# syntax to initialize custom class/objects through constructor params in array?
Multiple Routes on a Controller
What does it mean for a property to be [Required] and nullable?
Project 'ClassLibrary1.csproj' targets 'netcoreapp2.1'. It cannot be referenced by a project that targets '.NETFramework,Version=v4.7.2'
The best way to get a count of IEnumerable<T>
C# Converting 20 digit precision double to string and back again

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!