API Throttling

 API throttling is the process of limiting the number of API requests a user can make in a certain period. An application programming interface (API) functions as a gateway between a user and a software application. For example, when a user clicks the post button on social media, the button click triggers an API call.

If you are creating the API, it can be used by many clients. Sometimes some of the clients consume the API frequently without any limit. But if you want to limit consuming the API for a particular client within a certain time, then you can achieve it by Rate Limiting

Why do we need Rate Limiting?

  • Rate Limiting helps us to protect against malicious bot attacks. For example, a hacker can use bots to make repeated requests to an API endpoint. Due to the number of repeated requests, resulting in will be service unavailable for others. This is called as the Denial of Service (DoS) attack. So, the rate limiting helps us from the DoS attack.
  • Another use of the rate limiting is to regulate traffic to the API.

We can implement the rate limiting using AspNetCoreRateLimit NuGet Package

To configure the rate limiting to use in-memory persistence, add the following lines to the ConfigureServices() method in Startup class

builder.Services.AddMemoryCache();
builder.Services.Configure<IpRateLimitOptions>(builder.Configuration.GetSection("IpRateLimiting"));
builder.Services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
builder.Services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
builder.Services.AddSingleton<IRateLimitConfiguration, RateLimitConfiguration>();
builder.Services.AddSingleton<IProcessingStrategy, AsyncKeyLockProcessingStrategy>();
builder.Services.AddInMemoryRateLimiting();


Let’s add the configuration for the IP rate limit in the application’s appsettings.json file:

"IpRateLimiting": {
"EnableEndpointRateLimiting": true,
"StackBlockedRequests": false,
"RealIPHeader": "X-Real-IP",
"ClientIdHeader": "X-ClientId",
"HttpStatusCode": 429,
"GeneralRules": [
{
"Endpoint": "GET:/Locations",
"Period": "5s",
"Limit": 2
}
]
}

Add the following lines to the Configure() method in Startup class

app.UseIpRateLimiting();

In the above code, the option EnableEndpointRateLimiting is set as true to ensure that limit is applied to specific endpoints (here /GetLocations) rather than all endpoints. If EnableEndpointRateLimiting is set to false then the limits will apply globally and only rules that have as endpoint * will apply.

The RealIpHeader is used to extract the client IP when your Kestrel server is behind a reverse proxy, if your proxy uses a different header, then X-Real-IP uses this option to set it up.

The ClientIdHeader is used to extract the client id for whitelisting, if a client id is present in this header and matches a value specified in ClientWhitelist then no rate limits are applied.

The rate limiting rules are set in the GeneralRules section. In the above example, the rule specifies that for the endpoint GET:/Location with an HTTP verb GET, allow only 2 requests in a time window of 5 seconds.

The format for the Endpoint setting is flexible as it supports pattern matching. For example, *:/Locations/* will apply the rate-limiting rule to all the endpoints irrespective of the HTTP verb and having the term “Locations” in its route.


Press F5 to run the API locally and to launch the Swagger UI just hit the http://localhost:<port_number>/swagger/index.html URL in the browser. The Swagger UI for the above controller looks as follows



Execute the Locations endpoint. You will get below response. The API endpoint returns result along with three response headers, related to rate-limiting



  • x-rate-limit-limit - It shows the rate limit time window
  • x-rate-limit-remaining - The remaining number of requests for the API endpoint for that particular time window. 
  • x-rate-limit-reset - It displays the time stamp for resetting the limit rules.

If you hit the above endpoint more than 2 times within 5 seconds (rate-limiting rules are violated) then failure response (status code is 429) will be returned. The headers has retry-after: 3 which means the client to retry after 3 seconds to avoid the violation of rate-limiting rules















Comments

Popular posts from this blog

Email Sending through O365 using OAuth Protocol

IoT Technology

What is reverse proxy?