What is a Rate limiter?
Rate limiter is a mechanism to control the amount of request being sent by any user or IP.
Why do we need Rate limiter?
To prevent DDoS attack.
What is DDoS attack?
DDoS stands for Distributed Denial-of-Service. It is a type of cyber attack which targets a server, service or network and flood it with excessive traffic, overwhelming its resources and making it unavailable to legitimate users.
Rate Limiter algorithms:
Token bucket:
In this algorithm, consider a bucket with some capacity to hold tokens. Whenever any new requests come in, one of the tokens is removed from this bucket and used for the request. At a fixed time, tokens are added to the bucket. If the token is empty and any new request comes in, this request is dropped and not processed further.
Leaky bucket
In this algorithm consider a bucket with a leak in it a token is leaking from this bucket at a particular rate and the token is filled by a filler at a particular rate, whenever a new request comes in it uses the token leaked from the bucket. As the leak rate is constant API requests are also served at a constant rate, unlike the Token Bucket algorithm this doesn’t allow a burst of requests to be served.
Fixed window counter
In this algorithm, a fixed time window is created with fixed amount of token and whenever a new request comes in for a particular window it checks if there is any available token, if so than request is served else dropped. The major drawback of this algorithm is that suppose a fixed window is of time 12:00 to 12:05 and all the request comes post 12:04 and those requests are served when new window start at 12:05 to 12:10 and here all the requests comes at very beginning than those are also served. This creates a burst of request being served in short period of time.
Sliding Window Log
In this algorithm whenever a new request comes in it’s timestamp is maintained in the log, requests older than predefined time is removed from the log and new requests are added to the log. When new request comes in the older log count within sliding window is checked and later decided whether to drop the new request or accept it.
Why rate limiting is preferred on the server side over client-side?
While rate limiting can be on both side but server side rate limiting is preferred for security, reliability and fairness.
- Clients Cannot Be Trusted: A malicious client can bypass the client side rate limiting by modifying the javascript rate limiting code in the browser.
- Prevents Distributed Denial-of-Service (DDoS) Attacks: In DDoS attack, attackers use multiple machines to flood the server with request. Client-side rate limiting cannot stop attack from multiple sources.
