Possible/partial duplicates:
- What’s a good rate limiting algorithm?
- Throttling method calls to M requests in N seconds
- Best way to implement request throttling in ASP.NET MVC?
I am looking for the best way to implement a moving time window rate limiting algorithm for a web application to reduce spam or brute force attacks.
Examples of use would be “Maximum number of failed login attempts from a given IP in the last 5 minutes”, “Maximum number of (posts/votes/etc…) in the last N minutes”.
I would prefer to use a moving time window algorithm, rather than a hard reset of statistics every X minutes (like twitter api).
This would be for a C#/ASP.Net app.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
We found out Token Bucket is better algorithm for this kind of rate-limiting. It’s widely used in routers/switches so our operation folks are more familiar with the concept.
Method 2
Just to add a more ‘modern’ answer to this problem: For .NET WebAPI, WebApiThrottle is excellent and probably does everything you want out of the box.
It’s also available on NuGet.
Implementation takes only a minute or so and it’s highly customisable:
config.MessageHandlers.Add(new ThrottlingHandler()
{
Policy = new ThrottlePolicy(perSecond: 1, perMinute: 30, perHour: 500, perDay:2000)
{
IpThrottling = true,
ClientThrottling = true,
EndpointThrottling = true
},
Repository = new CacheRepository()
});
Method 3
Use a fast memory-based hashtable like memcached. The keys will be the target you are limiting (e.g. an IP) and the expiration of each stored value should be the maximum limitation time.
The values stored for each key will contain a serialized list of the last N attempts they made at performing the action, along with the time for each attempt.
Method 4
I just added the answer to the question Block API requests for 5 mins if API rate limit exceeds.
I used HttpRuntime.Cache to allow only 60 requests per minute. Exceeding the limit will block the API for next 5 minutes.
Method 5
You find this page to be an interesting read:
http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx
The section to look out for starts as follows:
Prevent Denial of Service (DOS) Attack
Web services are the most attractive target for hackers because even a pre-school hacker can bring down a server by repeatedly calling a Web service which does expensive work.
EDIT: Similar question here:
Best way to implement request throttling in ASP.NET MVC?
Method 6
I have been working on a new redis-based rate-limiting approach: http://blog.jnbrymn.com/2021/03/18/estimated-average-recent-request-rate-limiter.html
It is simpler than many other approaches that I’ve seen in that it doesn’t require you to constantly create new redis keys (e.g. instead of one per user per minute window, it’s just one per user). It has some nice properties regarding “forgetfulness and forgiveness” so that, for example, abusive users can’t reoffend in the next minute window. It also has a nice interpretation as the state of the rate-limiter corresponds to an estimate of the user’s recent request rate.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0