Slide 1

Slide 1 text

I M P L E M E N T I N G R A T E L I M I T I N G I N . N E T 7 W E B A P I by Mert METİN

Slide 2

Slide 2 text

https://github.com/mertmtn https://www.linkedin.com/in/mrtmtn https://twitter.com/_mertmetin https://mertmtn.blogspot.com/ A B O U T M E Software Engineer @Sompo Insurance Turkey MSc. in Information Technologies @Yildiz Technical University

Slide 3

Slide 3 text

What is Rate Limiting? 01 Rate Limiting Algorithims 02 Rate Limiting in .NET History 03 Rate Limiting in .NET 7 04 A G E N D A Rate Limiting Implementations 05

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

W H A T I S R A T E L I M I T I N G ? It is an approach to scalable and secure applications Limiting the number of request to the application in order to protect from bad attacks* Security, managing resources, controlling traffic, preventing overloads on server. *Brute force, DDos Attack, Web Scraping When you faced with HTTP 429 Error, there is implemented "rate limiting" approach. Picture resource: https://httpstatusdogs.com/429-too-many-requests

Slide 6

Slide 6 text

User Location Server IP T y p e s o f R a t e L i m i t i n g

Slide 7

Slide 7 text

Fixed Window 01 Sliding Window 02 Token Bucket 03 Leaky Bucket 04 A L G O R I T H M S

Slide 8

Slide 8 text

T O K E N B U C K E T A token as processing request. If the request came, token was leaving from the bucket until reaches refillment time.

Slide 9

Slide 9 text

T O K E N B U C K E T In distributed systems, we need to balance the refillment time and the request limit so that, there are no problems due to sudden resets. Solution is refill the bucket using refillment rate. Example: 5 request per 60 seconds Rate is 60/5=12 sec 10 requests in 6 seconds

Slide 10

Slide 10 text

F I X E D W I N D O W Allows limited number of request in fixed period of time. If exceeds, rejected until replenish the window/counter. In other words "N request per period" Example: 3 requests per 60 seconds

Slide 11

Slide 11 text

Heavy requests at the boundary of two consecutive time windows can lead to increased traffic. When the maximum request limit is reached at the beginning of the time window, it can wait for a long time to wait for the next time window. It depends on length of time window. F I X E D W I N D O W Problems can be encountered with Fixed Window

Slide 12

Slide 12 text

F I X E D W I N D O W V S T O K E N B U C K E T Refillment rate can be adjusted using refillment period and request limit. Token Bucket Refillment rate is constant. Fixed Window

Slide 13

Slide 13 text

L E A K Y B U C K E T Requests are placed with FIFO (first in first out) queue structure and process regular intervals. If queue is full, there will not be accepted new request until process requests at the queue. Advantage over Token Bucket is the regular processing of requests at a fixed time interval.

Slide 14

Slide 14 text

https://www.geeksforgeeks.org/leaky-bucket-algorithm/ https://media.geeksforgeeks.org/wp-content/uploads/leakyTap-1.png L E A K Y B U C K E T V S T O K E N B U C K E T

Slide 15

Slide 15 text

S L I D I N G W I N D O W Incoming requests store in array with request period. If a new request is received, the requests in the last time period are checked. If the request limit is not reached, push it to the array. Disadvantage: Each new request causes memory and CPU usage because of looping in the array.

Slide 16

Slide 16 text

S L I D I N G W I N D O W The logic is time window divides into time segment. Sliding window moves when each time segment passed. Example; There is 60 seconds window and it divided three segments those are 20 seconds. Request Limit is 50.

Slide 17

Slide 17 text

S L I D I N G W I N D O W

Slide 18

Slide 18 text

R A T E L I M I T I N G I N . N E T As built-in middleware In .NET 7 Implementations performed with third-party libraries Previous .NET Version

Slide 19

Slide 19 text

R A T E L I M I T I N G I N . N E T 7 List of below packages provides a rate limiting middleware for an ASP.NET Core applications. Microsoft.AspNetCore.RateLimiting System.Threading.RateLimiting

Slide 20

Slide 20 text

AddFixedWindowLimiter AddTokenBucketLimiter AddSlidingWindowLimiter AddConcurrencyLimiter app.UseRateLimiter(); //Enables rate limiting for the application. builder.Services.AddRateLimiter(Action configureOptions) In this method; options.RejectionStatusCode = 429; //HTTP 429 Status Code Then; Adding RateLimiter with policy name with below limiter types. As you want; OnRejected is an event for customizing reject request. C o n f i g u r i n g R a t e L i m i t i n g On Program.cs;

Slide 21

Slide 21 text

A d d F i x e d W i n d o w L i m i t e r ( ) Implements Fixed Window algorithm.

Slide 22

Slide 22 text

A d d T o k e n B u c k e t L i m i t e r ( ) Implements Token Bucket Algorithm.

Slide 23

Slide 23 text

A d d S l i d i n g W i n d o w L i m i t e r ( ) Implements Sliding Window Algorithm.

Slide 24

Slide 24 text

A d d C o n c u r r e n c y L i m i t e r ( ) Only works for asychronous requests.

Slide 25

Slide 25 text

A t t r i b u t e s There are two attributes which defines controller or method level. EnableRateLimiting DisableRateLimiting

Slide 26

Slide 26 text

R a t e L i m i t i n g i n M i n i m a l A P I RequireRateLimiting is used for it.

Slide 27

Slide 27 text

Rate Limiting implementations before .NET 7 Rate Limiting in .NET 7 as middleware and its method Defined Rate Limiting and its algorithm. Presented some implementations via Web API Demo T O S U M U P

Slide 28

Slide 28 text

.NET 7 Yenilikleri #1 | Asp.NET Core 7.0 - Rate Limiting: https://www.youtube.com/watch?v=TVrKJD9Tg5A&t=1737s Rate limiting middleware in ASP.NET Core https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit?view=aspnetcore-7.0 .Net 7.0’da Rate Limiting Nedir ? https://www.borakasmer.com/net-7-0da-rate-limiting-nedir/ Y o u m a y b e i n t e r e s t e d r e s o u r c e s Microsoft Releases New .NET Rate Limiter in .NET 7 - And It’s Amazing! https://www.bytehide.com/blog/new-microsoft-dotnet-rate-limiter-for-rate-limiting Rate Limiting Kavramını ve Algoritmalarını Anlamak: https://mertmtn.blogspot.com/2022/09/rate-limiting-kavramn-ve-algoritmalarn.html

Slide 29

Slide 29 text

T H A N K Y O U https://github.com/mertmtn https://www.linkedin.com/in/mrtmtn https://twitter.com/_mertmetin https://mertmtn.blogspot.com/