Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1 Approaches for application request throttling Maarten Balliauw @maartenballiauw
Upcoming events • Wednesday, October 3, 2018 (www.azug.be ) • Confusion In The Land Of The Serverless & Macro challenges ...
Thank you!
4 Approaches for application request throttling Maarten Balliauw @maartenballiauw
5 Today - 10 years later #165 Thanks, VISUG!
6
9 Agenda Users and traffic patterns Rate limiting and considerations Which resources? Which limits? Who to limit? Who not ...
10 Users...
11 MyGet Hosted private package repository – www.myget.org NuGet, NPM, Bower, Maven, VSIX, PHP Composer, Symbols, ... HTTP...
12 We’re using background workers Example: package upload PUT/POST binary and metadata to front-end PackageAddedEvent on q...
13 What could possibly go wrong... Too many uploads incoming! Front-end IIS server needs workers to read the incoming netw...
14 What could possibly go wrong... Too many downloads! Application logic has to check credentials, subscription, quota 404...
17 Other examples Web UI requests Trying to register spam accounts Trying to brute-force login/password reset Trying to va...
18 Real-life example
19 Rate limiting! (or “throttling”)
20 Rate limiting – what? Limits # of requests in a given timeframe Or limits bandwidth, or another resource – up to you He...
21 Rate limit everything. - Maarten Balliauw
22 Rate limiting – everything??? Everything that could slow down or break your application Typically everything that depen...
23 Let’s do this! Database with table Events UserIdentifier – who do we limit ActionIdentifier – what do we limit When – e...
24 Let’s do this! demo
25 Rate measuring
26 That database was a bad idea! Very flexible in defining various limits or doing combinations Very flexible in changing ...
27 That database was a bad idea! We created a denial of service opportunity! SELECT, INSERT, DELETE for every request Cons...
28 Quantized buckets Create “buckets” per <identifier> and <timespan> Use incr <bucket> on Redis and get back the current ...
29 Quantized buckets Super easy and super cheap (atomic write and read on Redis, auto-expire LRU) Not accurate... (but tha...
30 Leaky bucket “Imagine a bucket where water is poured in at the top and leaks from the bottom. If the rate at which wate...
31 Leaky bucket Get <delta> tokens, with maximum <count> per <timespan> public int GetCallsLeft() { if (_tokens < _capacit...
32 Cool! That’s it, right?
33 Deciding on limits
34 Things to decide on Decide on the resources to limit Decide on a sensible limit Come up with an identifier to limit on ...
35 Which resources to limit? ...
36 Rate limit everything. - Maarten Balliauw
37 What are sensible limits? Approach 1 1. Figure out current # of requests for a certain resource 2. Set limits 3. Get an...
38 Will you allow bursts or not? Laddering! Different buckets per identifier and resource... 10 requests per second can be...
39 What will be the identifier? Per IP address? But what with NAT/proxy? Per user? But how do you limit anonymous users? P...
40 What will be the identifier? Probably a combination! IP address (debatable) + User token (or “anonymous”) + Session tok...
41 Decide on exceptions Do we rate limit all users? Do we have separate limits for certain users? Dynamic limiting Do we r...
42 Responding to limits
43 What when the user hits the limit? Do we just “black hole” and close the connection? Do you tell the user? API: status ...
44 Try to always tell the user Format? Depends on Accept header (text/html vs. application/json) Tell them why they were t...
45 Where do we limit?
46 Rate limiting – where? MvcThrottle Runs as action filter Requests per timespan Per action, user, IP, ... (so knows abou...
47 MvcThrottle Demo
48 How far do we allow traffic before saying no? KNOWLEDGE ABOUT THE OPERATION RESOURCES SPENT
49 How far do we allow traffic before saying no? KNOWLEDGE ABOUT THE OPERATION RESOURCES SPENT
50 What options are there? In our application ActionFilter / Middleware / HttpModule / ... Easy to add custom logic, based...
51 What options are there? In our application On the server IIS has dynamic IP restrictions, bit rate throttling, <limits ...
52 What options are there? In our application On the server Outside of our server Reverse proxy (IIS Application Request R...
53 Rate limiting with NGinx Demo
54 What options are there? In our application On the server Outside of our server Outside of our datacenter Azure API mana...
55 Rate limiting with Azure API management Demo
56 Monitor rate limiting
57 Imagine... Your marketing team decided to bridge the physical world with the virtual: “Use our in-store wifi to join th...
58 Imagine... Your marketing team decided to bridge the physical world with the virtual: “Use our in-store wifi to join th...
59 Monitor your rate limiting! Monitor what is happening in your application Who are we rate limiting, when, why Allow for...
60 Conclusion
61 Conclusion Users are crazy! (typically unintended) We need rate limiting Decide on the resources to limit (tip: everyth...
62 Thank you! http://blog.maartenballiauw.be @maartenballiauw
Upcoming SlideShare
Loading in …5
×

VISUG - Approaches for application request throttling

408 views

Published on

Speaking from experience building a SaaS: users are insane. If you are lucky, they use your service, but in reality, they probably abuse. Crazy usage patterns resulting in more requests than expected, request bursts when users come back to the office after the weekend, and more! These all pose a potential threat to the health of our web application and may impact other users or the service as a whole. Ideally, we can apply some filtering at the front door: limit the number of requests over a given timespan, limiting bandwidth, ...

In this talk, we’ll explore the simple yet complex realm of rate limiting. We’ll go over how to decide on which resources to limit, what the limits should be and where to enforce these limits – in our app, on the server, using a reverse proxy like Nginx or even an external service like CloudFlare or Azure API management. The takeaway? Know when and where to enforce rate limits so you can have both a happy application as well as happy customers.

Published in: Technology
no profile picture user

  • Be the first to comment

VISUG - Approaches for application request throttling

  1. 1. 1 Approaches for application request throttling Maarten Balliauw @maartenballiauw
  2. 2. Upcoming events • Wednesday, October 3, 2018 (www.azug.be ) • Confusion In The Land Of The Serverless & Macro challenges of a microservice architecture Sam Newman & Cornell Knulst • @3Square - Gent • Tuesday, October 23, 2018 • Releasing features at the flick of a switch Dimitri Holsteens • @Corda Campus - Hasselt (UgenTec offices)
  3. 3. Thank you!
  4. 4. 4 Approaches for application request throttling Maarten Balliauw @maartenballiauw
  5. 5. 5 Today - 10 years later #165 Thanks, VISUG!
  6. 6. 6
  7. 7. 9 Agenda Users and traffic patterns Rate limiting and considerations Which resources? Which limits? Who to limit? Who not to limit? What when a limit is reached? Where to limit?
  8. 8. 10 Users...
  9. 9. 11 MyGet Hosted private package repository – www.myget.org NuGet, NPM, Bower, Maven, VSIX, PHP Composer, Symbols, ... HTTP-based Web UI for managing things API for various package managers PUT/POST – Upload package DELETE – Delete package via API GET – Fetch metadata or binary
  10. 10. 12 We’re using background workers Example: package upload PUT/POST binary and metadata to front-end PackageAddedEvent on queue with many handlers handled on back-end ProcessSymbols UpdateLatestVersion Indexing ...
  11. 11. 13 What could possibly go wrong... Too many uploads incoming! Front-end IIS server needs workers to read the incoming network stream Application logic has to check credentials, subscription, quota Back-end Delays in queue processing (luckily workers can process at their own pace) Too many uploads that are too slow! Front-end IIS server needs lots of workers to slowly copy from the network stream Workers == threads == memory == synchronization == not a happy place
  12. 12. 14 What could possibly go wrong... Too many downloads! Application logic has to check credentials, subscription, quota 404’s still need that application logic... Package managers are crazy! Total # requests Total # 404’s % 404’s # of packages in solution 200 800 600 # on NuGet.org 190 200 10 5% # on MyGet feed 1 5 200 195 97,5% # on MyGet feed 2 4 200 196 98% # on company-internal TeamCity 1 200 199 99,5%
  13. 13. 17 Other examples Web UI requests Trying to register spam accounts Trying to brute-force login/password reset Trying to validate credit card numbers via a form on your site ...cost money in the cloud (e.g. per serverless execution) Robots / Crawlers Imagine a spider adding 20k items to a shopping cart For us, usually fine (e.g. Googlebot by default up to 5 req/sec) Limiting is easy with rel=“nofollow” and robots.txt crawl-delay
  14. 14. 18 Real-life example
  15. 15. 19 Rate limiting! (or “throttling”)
  16. 16. 20 Rate limiting – what? Limits # of requests in a given timeframe Or limits bandwidth, or another resource – up to you Helps eliminate: Unexpected traffic patterns Unwanted traffic patterns (e.g. script kiddie brute-force login) Potentiallly damaging traffic patterns (accidental and malicious)
  17. 17. 21 Rate limit everything. - Maarten Balliauw
  18. 18. 22 Rate limiting – everything??? Everything that could slow down or break your application Typically everything that depends on a scarce or external resource CPU Memory Disk I/O Database External API So yes, everything...
  19. 19. 23 Let’s do this! Database with table Events UserIdentifier – who do we limit ActionIdentifier – what do we limit When – event timestamp so we can apply a query Filter attribute SELECT COUNT(*) FROM Events WHERE UserIdentifier = <user> AND ActionIdentifier = <action> AND When >= NOW() – X INSERT INTO Events (<user>, <action>, NOW()) DELETE FROM Events WHERE UserIdentifier = <user> AND ActionIdentifier = <action> AND When < NOW() – X
  20. 20. 24 Let’s do this! demo
  21. 21. 25 Rate measuring
  22. 22. 26 That database was a bad idea! Very flexible in defining various limits or doing combinations Very flexible in changing limits, e.g. changing the time period The database will suffer at scale... Every request is at least 2 – 3 queries Constant index churn We need to manually run DELETE to remove old events Database size!
  23. 23. 27 That database was a bad idea! We created a denial of service opportunity! SELECT, INSERT, DELETE for every request Consider a simpler technique to limit # of operations Ideally just a simple counter “Buckets”
  24. 24. 28 Quantized buckets Create “buckets” per <identifier> and <timespan> Use incr <bucket> on Redis and get back the current count per <timespan> public string GetBucketName(string operation, TimeSpan timespan) { var bucket = Math.Floor( DateTime.UtcNow.Ticks / timespan.TotalMilliseconds / 10000); return $"{operation}_{bucket}"; } Console.WriteLine(GetBucketName("someaction", TimeSpan.FromMinutes(10))); // someaction_106062120 <-- this will be the key for +/- 10 minutes
  25. 25. 29 Quantized buckets Super easy and super cheap (atomic write and read on Redis, auto-expire LRU) Not accurate... (but that may be ok) (n-1)x2 / 10 sec Theoretically: max. 6 / 10 sec
  26. 26. 30 Leaky bucket “Imagine a bucket where water is poured in at the top and leaks from the bottom. If the rate at which water is poured in exceeds the rate at which it leaks, the bucket overflows.“ Widely used in telecommunications to deal with bandwidth/bursts.
  27. 27. 31 Leaky bucket Get <delta> tokens, with maximum <count> per <timespan> public int GetCallsLeft() { if (_tokens < _capacity) { var referenceTime = DateTime.UtcNow; var delta = (int)((referenceTime - _lastRefill).Ticks / _interval.Ticks); if (delta > 0) { _tokens = Math.Min(_capacity, _tokens + (delta * _capacity)); _lastRefill = referenceTime; } } return _tokens; }
  28. 28. 32 Cool! That’s it, right?
  29. 29. 33 Deciding on limits
  30. 30. 34 Things to decide on Decide on the resources to limit Decide on a sensible limit Come up with an identifier to limit on Decide on exceptions to the rule
  31. 31. 35 Which resources to limit? ...
  32. 32. 36 Rate limit everything. - Maarten Balliauw
  33. 33. 37 What are sensible limits? Approach 1 1. Figure out current # of requests for a certain resource 2. Set limits 3. Get angry phone calls from customers Approach 2 1. Figure out current # of requests for a certain resource 2. Set limits, but only log when a request would be limited 3. Analyze logs, set new limits, ... 4. Start rate limiting 5. Keep measuring
  34. 34. 38 Will you allow bursts or not? Laddering! Different buckets per identifier and resource... 10 requests per second can be 36000 requests per hour. But 10 requests per second could also be 1000 requests per hour. Bucket Operation A Operation B Operation C Per second 10 10 100 Per minute 60 60 500 Per hour 3600 600 500 ... Steady flow of max. 10/sec Steady flow of max. 10/sec, but only 600/hour max. Bursts of up to 100/sec, but only 500/hour max.
  35. 35. 39 What will be the identifier? Per IP address? But what with NAT/proxy? Per user? But how do you limit anonymous users? Per session? But what when the user starts a new session for every request? Or what if there is no such thing as a session? Per browser? But everyone uses Chrome!
  36. 36. 40 What will be the identifier? Probably a combination! IP address (debatable) + User token (or “anonymous”) + Session token + Headers (user agent + accept-language + some cookie + ...)
  37. 37. 41 Decide on exceptions Do we rate limit all users? Do we have separate limits for certain users? Dynamic limiting Do we rate limit all IP addresses? What about ourselves? What about our monitoring tools? What about web crawlers? What about certain datacenter ranges? (https://github.com/client9/ipcat) “IP addresses that end web consumers should not be using"
  38. 38. 42 Responding to limits
  39. 39. 43 What when the user hits the limit? Do we just “black hole” and close the connection? Do you tell the user? API: status code 429 Too Many Requests Web: error page stating rate limit exceeded / captcha (StackOverflow)
  40. 40. 44 Try to always tell the user Format? Depends on Accept header (text/html vs. application/json) Tell them why they were throttled Can be a simple link to API documentation Tell them when to retry (e.g. GitHub does this even before rate limiting) Status: 200 OK X-RateLimit-Limit: 5000 X-RateLimit-Remaining: 4999 X-RateLimit-Reset: 1372700873
  41. 41. 45 Where do we limit?
  42. 42. 46 Rate limiting – where? MvcThrottle Runs as action filter Requests per timespan Per action, user, IP, ... (so knows about actions) Owin.Limits Runs as OWIN middleware Bandwidth, concurrent requests, ... No knowledge about application specifics Many, many others
  43. 43. 47 MvcThrottle Demo
  44. 44. 48 How far do we allow traffic before saying no? KNOWLEDGE ABOUT THE OPERATION RESOURCES SPENT
  45. 45. 49 How far do we allow traffic before saying no? KNOWLEDGE ABOUT THE OPERATION RESOURCES SPENT
  46. 46. 50 What options are there? In our application ActionFilter / Middleware / HttpModule / ... Easy to add custom logic, based on request details On the server Outside of our server Outside of our datacenter
  47. 47. 51 What options are there? In our application On the server IIS has dynamic IP restrictions, bit rate throttling, <limits /> Kestrel minimum speed throttle Found these less flexible in terms of configuraton... E.g. IIS dynamic IP restrictions returns 403 Forbidden, wth! Not a big fan, as these are usually HttpModules anyway (and thus hit our app) Outside of our server Outside of our datacenter
  48. 48. 52 What options are there? In our application On the server Outside of our server Reverse proxy (IIS Application Request Routing, NGinx, HAProxy, Squid, ...) Traffic does not even hit our application server, yay! Outside of our datacenter
  49. 49. 53 Rate limiting with NGinx Demo
  50. 50. 54 What options are there? In our application On the server Outside of our server Outside of our datacenter Azure API management, CloudFlare Filters traffic very early in the request, yay! Often also handle DDoS attacks Often more expensive
  51. 51. 55 Rate limiting with Azure API management Demo
  52. 52. 56 Monitor rate limiting
  53. 53. 57 Imagine... Your marketing team decided to bridge the physical world with the virtual: “Use our in-store wifi to join this online contest and win!”
  54. 54. 58 Imagine... Your marketing team decided to bridge the physical world with the virtual: “Use our in-store wifi to join this online contest and win!” What if... All those users are NAT-ed from the same IP And your rate limiting does not allow for 100 simultaneous users from an IP...
  55. 55. 59 Monitor your rate limiting! Monitor what is happening in your application Who are we rate limiting, when, why Allow for circuit breakers (“exceptional exceptions”) “This flood of requests is fine for now”
  56. 56. 60 Conclusion
  57. 57. 61 Conclusion Users are crazy! (typically unintended) We need rate limiting Decide on the resources to limit (tip: everything) Decide on a sensible limit (tip: measure) Come up with an identifier to limit on Decide on exceptions What when the user reaches a limit? Decide where in the request/response flow to limit Monitor your rate limiting
  58. 58. 62 Thank you! http://blog.maartenballiauw.be @maartenballiauw

×