Currently, rate-limiting in aw is required to be implemented at the application-level. It assumes that the application has the best information about per-message rate limits, and to him to apply them. While this remains true, it is still worth implementing a basic rate-limiter.
The rate-limit should be implemented using a standard rate-per-second with temporary burst. If the rate-limit is violated, then the offending IP address is blacklisted. This drops the existing connection, and refuses connections from this IP address until the end of blacklist timeout. If the IP address attempts connections during this blacklisted period, then the period is extended by the back-off factor (multiplying the current time left by the back-off factor).
Recent offenders should be stored in-memory, but also saved on-disk in the case of an unexpected reboot. Assuming all IP addresses are 128 bits, an in-memory limit of 1MB would allow for 65,536 offenders before the server begins to drop attackers. In the case that this limit is reached, the least recent offender will be dropped from the list (implying that the offender is forgiven).
Currently, rate-limiting in
awis required to be implemented at the application-level. It assumes that the application has the best information about per-message rate limits, and to him to apply them. While this remains true, it is still worth implementing a basic rate-limiter.The rate-limit should be implemented using a standard rate-per-second with temporary burst. If the rate-limit is violated, then the offending IP address is blacklisted. This drops the existing connection, and refuses connections from this IP address until the end of blacklist timeout. If the IP address attempts connections during this blacklisted period, then the period is extended by the back-off factor (multiplying the current time left by the back-off factor).
Recent offenders should be stored in-memory, but also saved on-disk in the case of an unexpected reboot. Assuming all IP addresses are 128 bits, an in-memory limit of 1MB would allow for 65,536 offenders before the server begins to drop attackers. In the case that this limit is reached, the least recent offender will be dropped from the list (implying that the offender is forgiven).