Many applications that use REST APIs use rate-limiting for safety against overloaded servers and Dos attacks. Other APIs implement soft limits that may allow the user to extend the limit for a short while. Some execute a hardline approach immediately, sending an HTTP 429 error or timing out, which means that the user needs to use a new query.
There are various ways in which you can rate limit your API. Check them out below: Request queues
Every programming language has its demands for request queue libraries which means that your work as a developer is simplified. You can even find queue library directories and search for pre-written codes. There are very many request queues out there awaiting use. For example, one of them enforces the rate limit at two requests per second and sends the rest to a request queue. Let us look at some of them:
- Amazon simple queue service- this is a ready-made request queue library that facilitates requests and messaging queues. The good thing with this request queue is that it is maintained regularly, so you do not have to constantly debug your software or hardware to make it work efficiently.
- Android volley- this is a common request queue library for android developers but not all android libraries can use it. So, be sure to look at your specific android library's documentation to determine if it is compatible with a volley.
Throttling is one of the ways you can enforce API rate limiting. It allows you to monitor how your API is being used by establishing a temporary state which enables the API to assess every request. Whenever the API is throttled, the user may have to cope with low bandwidth or be disconnected altogether. Throttling is a common way of rate-limiting APIs possible at the user level or application. As such, there are numerous ready-made commercial products in the market for developers. Rate limiting algorithms
You can use algorithms as a way to implement an easily scalable rate-limited API. Just like request queue libraries and throttling services, there are multiple rate-limiting algorithms available in the market. Let us look at some of them.
Dedicated API rate limiting tools
- Leaky bucket- this translates requests in a first-in, first-out (FIFO) format to process the items on the queue at a regular rate. As such, it is easy to enforce on a single server or load balancer and reduces the issue of high traffic. With a limited queue size, it is small and memory efficient.
- Fixed window- these algorithms use a fixed rate to monitor the rate of requests using an incremental counter. The developer defines the window for a specific number of seconds at a set time, for example, 3600 per hour. In this case, whenever the incremental counter exceeds the maximum limit for the specified period, it discards the additional requests. You can use fixed window algorithms if you do not want your API to be overwhelmed with old requests. Still, it could be overloaded when using this method. That is because if a series of requests are made when the window refreshes, your API can still be stampeded.
- Sliding log- this algorithm uses a time-stamped log to track every request. Whenever a new request enters, the sum of the logs is calculated to identify the request rate. If the request surpasses the limit threshold, they are queued. Again, log with time-stamps that also reach the rate limit are discarded. Unlike fixed windows, sliding log algorithms do not encounter stampeding issues. Its downside is that it may not be the most suitable option to prevent DoS attacks, overload, or implement a scalable API.
- Sliding window- this type of algorithm blends the best of sliding log and fixed window algorithms. It uses a cumulative counter for a specific set time, just like the fixed window algorithm. It also evaluates the previous window to reduce outbursts of traffic. The sliding window only requires a small number of data points to assess each request making it the most suitable option for processing massive amounts of requests while running fast and smoothly.
Sometimes we got applications without built-in API rate limiting checks, controls and policies and need some workaround. There are several kinds of tools that can be API rate limiting policies enforcers:
- CDN - consider using a content delivery network serving as a proxy to manage access to your APIs. An example of such is CloudFlare.
- API Gateways - you can also use API Gateways (like Kong) to set API quotas and enforce rate-limiting policies.
- Anti-DDoS services (L7 layer) - some anti-DDoS providers tackle API-based DDoS pretty well. An example of such is QRator.
- Reverse proxies and application gateways - if you already use NGINX you can use it to enforce your API controls as well.