Rate Limiting in .NET
What’s this sorcery?
You thought about this at least one time in your life. In short, this technique limits the amount of incoming or outgoing network traffic. This should be the first thing that comes to mind when you hear DDoS attacks.
How does this work?
The way it works is pretty simple: you limit the requests to the client in a specific period. If the number exceeds, (typically) it sends back a 429 (HTTP status code that means “too many requests”) to the client.
Benefits?
- As already said it is the first measure that you can take against DDoS attacks, so you can also say you are blocking malicious behaviour.
- Maintaining service availability so you can also say that you improve the UX / your client’s experience.
- Reduce resource consumption so, it might mean also lower your costs.
Cons
- It is not bulletproof. If someone wants to attack you, he can also change his IP address, and the rate limit won’t stop him from flooding your system.
- The rate limit can’t make the difference between good/normal traffic and bad traffic. It will just look over the number of requests from an IP. This might be a problem in certain cases.
Where can you apply this thing?
Wherever you want. You can do it! You are the expert!
- Application Layer
- Service Layer
- Database layer
- Network layer
Is it really working?
Not sure if you configured it correctly? To check it out, you should be able to see the complete information about the remaining limit, time and so on, on the response header of your requests.
Example?
The internet is full of examples specific to what you need, but if you want to check an ugly example from my side on how to add on the application layer a rate limit, you can find one here.
