Rate Limiting and DDoS
Nirvan Jha
Posted on June 16, 2024
What is Rate Limiting?
- Rate Limiting is a technique to control the rate at which requests (such as GET, POST, PUT etc.) are made to a service by a client or an application.
- This is achieved by restricting the amount of request that a client makes to the server in a specified amount of time. For example, you can make only 100 requests in a specified time interval say 30 secs. It means if you made 100 requests to a website....then you have to wait for 30 seconds...and then only you are allowed to make 100 request again.
Why Rate Limiting?
- Preventing Overload:- Rate limiting controls how often a user or system can make requests to a service. This helps prevent overuse of resources, ensuring that the system remains available and responsive for all users. For example, rate limiting can stop a single user from making thousands of login attempts in a minute, which could otherwise degrade service for others.
- Mitigating Abuse: Without rate limiting, an application could be more susceptible to abuse such as brute force attacks on passwords. (Brute Force Attacks: in these attacks, the attackers tries to gain the access of the system illegally...For ex. If the site needs an 4 digit OTP to Login, So the attacker will run an algorithm and try all the 4 digit numbers from 1000 to 9999. This is a hit and trial method. The algorithm tries each and every OTP ). By limiting how often someone can perform an action, it reduces the feasibility of such attacks.
- Managing Traffic: In high traffic scenarios such as movie ticket booking...Rate Limiting helps to manage the Traffic on the website and ensures a fairer distribution of services to the users.
- DDoS protection: A DDoS attack means attacking the website from multiple sources which can make the website unavailable. DDoS protection mechanism can identify such malicious traffic and filter them. (Sounds Overwhelming just look at the Figure below).
So the question arises:-
**Where Can You Commonly Find Rate Limiters=>
- In the login page of sites...where there is a higher chance of Brute Force attacks.
- In the Ecommerce Sites: Suppose if there is a sale on Sneakers...The attackers will send multiple request to jam the website so that normal users cant access it.
- API Endpoints , Email Sending etc.
**How To Write the Code for Rate Limiter:-
Step1: Add Dependency
npm i express-rate-limit
Step3: Use this middleware in whichever end point you need. An example is attached Below on how to use this middleware.
Now the PROBLEM arises:- Your Server is still vulnerable to DDoS.
Though DDoS is rarely used for password reset, it is usually used to choke a server.
How can you save your reset password endpoint?
- You can implement logic in the rate limiter code that only 3 resets are allowed per email sent out. OR
- You can implement CAPTCHA logic.
How does a captcha work:- You can various tools such as CloudFlare turnstile.
To Use Captcha , Here is an example how you can do it:-
Step1: Go to Cloudflare Turnstile and click on ADD SITE
Step2: Add a name and Domain.
Step3: You will get a site key and a secret key (This secret key is used to verify token...discussed earlier).
Step4:Create a React Page
Step5: Add Dependencies by running this command in the terminal:-
npm i @marsidev/react-turnstile
Step6: Update App.tsx
Step7: Update the backend Code:-
And You are Good to Go :)
Do Share your reviews in the comments!!
Thanks
Posted on June 16, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.