Incomputer networks,rate limiting is used to control the rate of requests sent or received by anetwork interface controller. It can be used to preventDoS attacks^[1] and limitweb scraping.^[2]

Research indicates flooding rates for one zombie machine are in excess of 20HTTP GET requests per second,^[3] legitimate rates much less.

Rate limiting should be used along withthrottling pattern to minimize the number of throttling errors.^[4]

Hardware appliances can limit the rate of requests on layer 4 or 5 of theOSI model.

Rate limiting can be induced by the network protocol stack of the sender due to a receivedECN-marked packet and also by thenetwork scheduler of any router along the way.

While a hardware appliance can limit the rate for a given range of IP-addresses on layer 4, it risks blocking a network with many users which are masked byNAT with a singleIP address of anISP.

Deep packet inspection can be used to filter on the session layer but will effectively disarm encryption protocols likeTLS andSSL between the appliance and the protocol server (i.e. web server).

Protocol servers using a request / response model, such asFTP servers or typicallyWeb servers may use a centralin-memorykey-value database, likeRedis orAerospike, for session management. A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache.

In case a client made too many requests within a given time frame,HTTP servers can respond with status code429: Too Many Requests.

However, in some cases (i.e. web servers) the session management and rate limiting algorithm should be built into the application (used for dynamic content) running on the web server, rather than the web server itself.

When a protocol server or a network device notice that the configured request limit is reached, then it will offload new requests and not respond to them. Sometimes they may be added to aqueue to be processed once the input rate reaches an acceptable level, but at peak times the request rate can even exceed the capacities of such queues and requests have to be thrown away.

Data centers widely use rate limiting to control the share of resources given to different tenants and applications according to their service level agreement.^[5] A variety of rate limiting techniques are applied in data centers using software and hardware. Virtualized data centers may also apply rate limiting at the hypervisor layer. Two important performance metrics of rate limiters in data centers are resource footprint (memory and CPU usage) which determines scalability, and precision. There usually exists a trade-off, that is, higher precision can be achieved by dedicating more resources to the rate limiters. A considerable body of research with focus on improving performance of rate limiting in data centers.^[5]

• Bandwidth management
• Bandwidth throttling
• Project Shield

Algorithms

• Token bucket^[6]
• Leaky bucket
• Fixed window counter^[6]
• Sliding window log^[6]
• Sliding window counter^[6]

Libraries

• ASP.NET Web API rate limiter
• ASP.NET Core rate limiting middleware
• Rate limiting for .NET (PCL Library)
• Rate limiting for Node.JS

• Network performance

• Articles with short description
• Short description is different from Wikidata