A while ago I needed a very quick rate limiter implementation. The application I was working on was already using Redis.
Fixed-window rate limiting: This is a straightforward algorithm that counts the number of requests received within a fixed time window, such as one minute. Once the maximum number of requests is reached, additional requests are rejected until the next window begins. …
With a small Redis script, I was able to implement a fixed-window rate limiter:
Every time this script is run it takes a key and increments its value by 1. Whenever the key is incremented for the first time, an expiry of 60 seconds is set. It returns the current value after the increment.
The key expires 60 seconds after it is first set. Once expired, it will be set again on the next request.
Any code using this script can call it whenever a request for a rate-limitable action is received. If the value returned by the script is greater than allowed, the request is aborted due to the rate limit. If the value returned is not greater than allowed then the request is processed.
The function can then be used as follows:
And this just works.
Note that a fixed-window rate limiter, although effective against sustained attacks, may affect the experience of legitimate users.
In the example above, we rate limit based on the username used during a login flow. This is less likely to affect legitimate users than using, for example, the remote IP address of the incoming request.
comments powered by Disqus