I M P L E M E N T I N G R A T E L I M I T I N G I N . N E T 7 W E B A P I by Mert METİN

https://github.com/mertmtn https://www.linkedin.com/in/mrtmtn https://twitter.com/_mertmetin https://mertmtn.blogspot.com/ A B O U T M E Software Engineer @Sompo Insurance Turkey MSc. in Information Technologies @Yildiz Technical University

What is Rate Limiting? 01 Rate Limiting Algorithims 02 Rate Limiting in .NET History 03 Rate Limiting in .NET 7 04 A G E N D A Rate Limiting Implementations 05

No content

W H A T I S R A T E L I M I T I N G ? It is an approach to scalable and secure applications Limiting the number of request to the application in order to protect from bad attacks* Security, managing resources, controlling traffic, preventing overloads on server. *Brute force, DDos Attack, Web Scraping When you faced with HTTP 429 Error, there is implemented "rate limiting" approach. Picture resource: https://httpstatusdogs.com/429-too-many-requests

User Location Server IP T y p e s o f R a t e L i m i t i n g

Fixed Window 01 Sliding Window 02 Token Bucket 03 Leaky Bucket 04 A L G O R I T H M S

T O K E N B U C K E T A token as processing request. If the request came, token was leaving from the bucket until reaches refillment time.

T O K E N B U C K E T In distributed systems, we need to balance the refillment time and the request limit so that, there are no problems due to sudden resets. Solution is refill the bucket using refillment rate. Example: 5 request per 60 seconds Rate is 60/5=12 sec 10 requests in 6 seconds

F I X E D W I N D O W Allows limited number of request in fixed period of time. If exceeds, rejected until replenish the window/counter. In other words "N request per period" Example: 3 requests per 60 seconds

Heavy requests at the boundary of two consecutive time windows can lead to increased traffic. When the maximum request limit is reached at the beginning of the time window, it can wait for a long time to wait for the next time window. It depends on length of time window. F I X E D W I N D O W Problems can be encountered with Fixed Window

F I X E D W I N D O W V S T O K E N B U C K E T Refillment rate can be adjusted using refillment period and request limit. Token Bucket Refillment rate is constant. Fixed Window

L E A K Y B U C K E T Requests are placed with FIFO (first in first out) queue structure and process regular intervals. If queue is full, there will not be accepted new request until process requests at the queue. Advantage over Token Bucket is the regular processing of requests at a fixed time interval.

https://www.geeksforgeeks.org/leaky-bucket-algorithm/ https://media.geeksforgeeks.org/wp-content/uploads/leakyTap-1.png L E A K Y B U C K E T V S T O K E N B U C K E T

S L I D I N G W I N D O W Incoming requests store in array with request period. If a new request is received, the requests in the last time period are checked. If the request limit is not reached, push it to the array. Disadvantage: Each new request causes memory and CPU usage because of looping in the array.

S L I D I N G W I N D O W The logic is time window divides into time segment. Sliding window moves when each time segment passed. Example; There is 60 seconds window and it divided three segments those are 20 seconds. Request Limit is 50.

S L I D I N G W I N D O W

R A T E L I M I T I N G I N . N E T As built-in middleware In .NET 7 Implementations performed with third-party libraries Previous .NET Version

R A T E L I M I T I N G I N . N E T 7 List of below packages provides a rate limiting middleware for an ASP.NET Core applications. Microsoft.AspNetCore.RateLimiting System.Threading.RateLimiting

AddFixedWindowLimiter AddTokenBucketLimiter AddSlidingWindowLimiter AddConcurrencyLimiter app.UseRateLimiter(); //Enables rate limiting for the application. builder.Services.AddRateLimiter(Action configureOptions) In this method; options.RejectionStatusCode = 429; //HTTP 429 Status Code Then; Adding RateLimiter with policy name with below limiter types. As you want; OnRejected is an event for customizing reject request. C o n f i g u r i n g R a t e L i m i t i n g On Program.cs;

A d d F i x e d W i n d o w L i m i t e r ( ) Implements Fixed Window algorithm.

A d d T o k e n B u c k e t L i m i t e r ( ) Implements Token Bucket Algorithm.

A d d S l i d i n g W i n d o w L i m i t e r ( ) Implements Sliding Window Algorithm.

A d d C o n c u r r e n c y L i m i t e r ( ) Only works for asychronous requests.

A t t r i b u t e s There are two attributes which defines controller or method level. EnableRateLimiting DisableRateLimiting

R a t e L i m i t i n g i n M i n i m a l A P I RequireRateLimiting is used for it.

Rate Limiting implementations before .NET 7 Rate Limiting in .NET 7 as middleware and its method Defined Rate Limiting and its algorithm. Presented some implementations via Web API Demo T O S U M U P

.NET 7 Yenilikleri #1 | Asp.NET Core 7.0 - Rate Limiting: https://www.youtube.com/watch?v=TVrKJD9Tg5A&t=1737s Rate limiting middleware in ASP.NET Core https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit?view=aspnetcore-7.0 .Net 7.0’da Rate Limiting Nedir ? https://www.borakasmer.com/net-7-0da-rate-limiting-nedir/ Y o u m a y b e i n t e r e s t e d r e s o u r c e s Microsoft Releases New .NET Rate Limiter in .NET 7 - And It’s Amazing! https://www.bytehide.com/blog/new-microsoft-dotnet-rate-limiter-for-rate-limiting Rate Limiting Kavramını ve Algoritmalarını Anlamak: https://mertmtn.blogspot.com/2022/09/rate-limiting-kavramn-ve-algoritmalarn.html

T H A N K Y O U https://github.com/mertmtn https://www.linkedin.com/in/mrtmtn https://twitter.com/_mertmetin https://mertmtn.blogspot.com/