Rate limiting: Implementation, Types, Benefits

What is rate limiting?

Rate limiting is a strategy or technique to limit network traffic. It is a technique used to control the amount of requests a user can send to a system within a specified time frame, ensuring fair usage and preventing potential abuse. [1] 

What is the difference between rate limiting and throttling?

Rate limiting strictly enforces a cap on the number of requests in a time window, whereas throttling regulates the request rate to maintain optimal performance or bandwidth. Essentially, rate limiting enforces a strict limit on the number of requests, while throttling subtly manages the speed or frequency of requests (smooth out spikes in traffic) to optimize system health.

What kinds of bot attacks are stopped by rate limiting?

Rate limiting can help in mitigating various types of attacks:[2]

1. DoS and DDoS: By sending an overwhelming number of requests, bots aim to exhaust server resources, making the service slow or unavailable for legitimate users.
2. Brute force: Bots can automate login attempts to guess passwords. Rate limiting can slow down or block such attempts by limiting how many login requests can be made in a specific period.
3. API Abuse: Bots might target APIs to either scrape data, exploit vulnerabilities, or exhaust resources. By setting up rate limits on API endpoints, one can prevent bots from making too many calls in a short amount of time.
4. Web scraping: Automated bots can scrape content from websites, either to copy information or monitor for changes. This can lead to intellectual property theft, competitive data mining, or increased server costs. Rate limiting can deter or slow down scraping bots.

How rate limiting is implemented at each layer of the TCP/IP Model?

Firstly, not all TCP/IP model layers inherently support or commonly use rate limiting. Although it is feasible to apply rate limiting on all the layers, the decision to apply rate limiting and at which layer depends on the specific use case and the nature of the traffic being managed. Let’s see how we can apply rate limiting at each layer of the TCP/IP model. 

1. Application Layer
   1. Web servers or API gateways might rate limits based on the number of API calls from a specific user or IP in a given time frame.
   2. Some applications might limit the number of requests or transactions. For Example, an email server might limit the number of emails sent in a specific time frame to prevent spamming.
2. Transport Layer
   1. Rate limiting can be applied based on ports, which can identify specific services such as HTTP running on port 80 or HTTPS on port 443.
   2. TCP flow control mechanisms, like TCP window scaling, inherently control the rate of data transmission between two endpoints.
3.  Internet (Network) Layer
   1. Routers and some advanced switches operate at this layer and can implement rate limiting based on source or destination IP addresses.
   2. Traffic shaping or policing might be applied using mechanisms like Committed Access Rate (CAR) or Token Bucket.
   3. Quality of Service (QoS) mechanisms, like Differentiated Services Code Point (DSCP), can be used to prioritize certain packets.
4. Link (Network Access) Layer
   1. Rate limiting here can be done based on Media Access Control (MAC) addresses.
   2. You can set the transmission speed on certain devices to limit bandwidth at this layer. For example, configuring an Ethernet link to operate at 200 Mbps instead of 1 Gbps.
   3. Port-based rate limiting might be applied on certain switch ports.

Rate limiting Techniques

Rate limiting works by using several rate-limiting algorithms to limit the number of requests. The algorithms are as follows [3]:

Token Bucket

Let us assume that we have a bucket that can hold a certain number of tokens. Tokens are added to the bucket at regular intervals up to its capacity. Every time a request is made to the server, a token is removed from the bucket. If the bucket is empty, the request is rejected. Each user can be assigned a bucket with a fixed number of tokens, when the bucket gets empty it indicates that the user has consumed all the request quota he was assigned thereby limiting the number of requests from the user.

Fig 1: Explanation of Token Bucket algorithm

Leaky Bucket

This is like a bucket with a hole at its bottom. A queue of requests is maintained which is assumed as a bucket filled with requests. When a new request arrives it is appended to the end of the queue and the first item of the queue (bucket) is processed (leaks out) at a constant rate. If the bucket fills up, excess requests overflow and are denied.

Fig 2: Explanation of Leaky Bucket algorithm

Fixed Window

A window of a fixed duration is used to track the rate. All requests within that window are counted. Once the limit for that window is reached, further requests are denied. The count resets at the start of the next window.

Fig 3: Explanation of Fixed Window algorithm

Sliding Window (Sliding Log)

This approach combines the low processing cost of the fixed window algorithm and the improved boundary conditions of the sliding log algorithm. The requests are time-stamped and logged. For each incoming request, the system counts how many requests were made in the preceding window duration (e.g., the last minute). If the count exceeds the limit, the request is denied.

Fig 4: Explanation of Sliding Window algorithm

Benefits of Rate Limiting  

Rate limiting is important as it has a myriad of advantages:

1. Stability: It ensures systems aren’t overwhelmed with requests and maintains consistent performance.
2. Security: Rate limiting can mitigate malicious intents that involve flooding a system with requests such as DoS (Denial of Service) attacks.
3. Fair Resource Allocation: It ensures all users get a fair share of the system’s resources.
4. Cost Efficiency: Rate limiting can help in cost optimization by preventing unexpected traffic spikes. Major cloud vendors provide a pay-as-you-use model and therefore, a constant rate of requests will keep the rates at an acceptable level.

Challenges and considerations

While rate limiting is indispensable, it’s not without challenges:

1. False Positives: Genuine users might sometimes be mistaken as threats, especially if many users are behind shared IPs.
2. Scalability issues: Rate limiting may become a bottleneck if not scaled properly.
3. Complexity: Implementing a rate-limiting strategy might add complexity to the system that might make it difficult to maintain.

Conclusion

Rate limiting controls the number of requests a user can make to a service in a set time, ensuring the requests do not overwhelm a system. It helps keep online services stable and defends against bot attacks. It’s essential for both security and performance.