Rate Limiting Explained: How It Works and Why It Matters

Rate Limiting Explained: How It Works and Why It Matters

Nishit Bariya's photo
Nishit Bariya
·

8 min read

Table of contents

In the modern web development landscape, managing traffic flow to your application is crucial. One key concept in this context is rate limiting. In this article, we'll explore what rate limiting is, why it's important, and delve into two popular techniques: Token Bucket Rate Limiting and Leaky Bucket Rate Limiting. We'll also include real-life examples and practical implementations in Express.js. Let's dive in.

What is Rate Limiting?

Rate limiting is a technique used to control the number of requests a client (a user or application) can make to a server within a specified time frame.

💡
Think of an API as a popular amusement park ride, and API requests as people wanting to go on the ride. The amusement park imposes a rate limit on how many people can get on the ride in a given time frame (e.g., riders per hour). If too many people try to get on the ride simultaneously, the park may restrict access to maintain safety and ensure a pleasant experience for everyone. Rate limiting in this context ensures that the ride operates smoothly and prevents potential issues due to excessive demand.

Why is Rate Limiting Important?

  1. Preventing Abuse: Rate limiting helps protect your application from being overwhelmed by too many requests, which could be a result of a denial-of-service (DoS) attack or just a poorly written client.

  2. Fair Usage: It ensures fair distribution of resources among users, preventing a single user from hogging all the resources.

  3. Cost Management: By controlling the rate of requests, you can manage server load and thus reduce operational costs.

  4. Enhanced Security: Rate limiting can mitigate brute-force attacks, adding an extra layer of security to your application.

  5. Improved Performance: It helps in maintaining optimal performance by preventing server overload, thus ensuring a smooth user experience.

Real-Life Example

Imagine you own a popular e-commerce website. During Black Friday sales, thousands of users might try to access your site simultaneously. Without rate limiting, your servers could be overwhelmed, leading to crashes or slow performance. Implementing rate limiting ensures that your server can handle the traffic gracefully by processing requests at a manageable rate.

Online banking systems use rate limiting to prevent fraudulent activities and ensure the integrity of transactions by limiting the number of login attempts or transaction requests.

Techniques of Rate Limiting

  1. Token Bucket Rate Limiting

What is the Token Bucket Algorithm?

The Token Bucket Algorithm is a simple yet effective technique used to control the rate at which requests are made to a system or server.

💡
Picture it as an actual bucket that gets filled with tokens over time. Each token represents permission to make one request. When a client wants to make an API request, it must possess a token from the bucket. If tokens are available, the request is granted, and a token is consumed. If the bucket is empty, the request is denied until more tokens are added over time.

Let’s break down how this algorithm works in a straightforward manner:

Step 1: Create a Bucket

Imagine you have a bucket with a fixed capacity, which we’ll call the “rate limit.” This bucket can hold a certain number of tokens. In our example, we’ll set a rate limit of 10 tokens.

Step 2: Refill the Bucket

The bucket isn’t static; it periodically gets refilled with tokens. This is a crucial aspect of the Token Bucket Algorithm. Tokens are added to the bucket at a fixed rate. For instance, in our code, the bucket gets refilled every 2 seconds.

Step 3: Incoming Requests

When a request comes in, we check if there are any tokens in the bucket.

Step 4: Consume Tokens

If there are tokens in the bucket, we consume one token from it. This means the request is allowed to proceed. We also keep track of when the token was consumed.

Step 5: Empty Bucket

If the bucket is empty (no tokens available), we reject the request. This helps in preventing overloading of the server or system, ensuring that it operates within its defined limits.

Implementation of Token Bucket Algorithm? in Express.js

Here's a simple implementation of the Token Bucket Algorithm using Express.js:

const express = require('express');
const rateLimit = require('express-rate-limit');

const app = express();

// Define rate limiting middleware using Token Bucket algorithm
const tokenBucketLimiter = rateLimit({
  windowMs: 1 * 60 * 1000, // 1 minute
  max: 100, // Limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again after a minute'
});

// Apply rate limiting middleware to all API routes
app.use('/api/', tokenBucketLimiter);

app.get('/api/data', (req, res) => {
  res.json({ message: 'This is your data' });
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});

Explanation of the Code

  1. Importing Modules:

    • express: A web framework for Node.js.

    • rateLimit: A middleware for rate limiting in Express.js.

  2. Creating Express App:

    • const app = express();: Initializes an Express application.

  3. Defining Rate Limiting Middleware:

    • windowMs: 1 * 60 * 1000: Sets the time window to 1 minute.

    • max: 100: Limits each IP to 100 requests per windowMs.

    • message: 'Too many requests from this IP, please try again after a minute': Custom message returned when the rate limit is exceeded.

  4. Applying Middleware:

    • app.use('/api/', tokenBucketLimiter);: Applies the rate limiting middleware to all routes under /api/.

  5. Defining Routes:

    • app.get('/api/data', (req, res) => { res.json({ message: 'This is your data' }); });: Defines a simple GET route that returns a JSON response.

  6. Starting the Server:

    • app.listen(3000, () => { console.log('Server running on port 3000'); });: Starts the server on port 3000.

This implementation ensures that each IP address can make up to 100 requests per minute to the /api/ routes. If the limit is exceeded, the server responds with a message asking the user to try again later.

  1. Leaky Bucket Rate Limiting

The Leaky Bucket algorithm processes requests at a fixed rate, regardless of the incoming rate. It works as follows:

  • A bucket has a fixed capacity and leaks out requests at a constant rate.

  • Incoming requests are added to the bucket.

  • If the bucket overflows, incoming requests are discarded or delayed.

💡
The figuer illustrates the Leaky Bucket Rate Limiting algorithm, where incoming requests are collected in a bucket. Each request consumes a token from the bucket, which is refilled at a steady rate. The decision point checks if there are enough tokens for the request; if yes, the request proceeds to the server for processing. If no, the request is dropped or rejected. This method ensures that the server is not overwhelmed by controlling the rate of incoming requests, allowing only a manageable number to be processed at a time.

Implementation of Leaky Bucket Algorithm in Express.js

Here's a simple implementation of Leaky Bucket Rate Limiting in an Express.js application:

const express = require('express');
const app = express();

const BUCKET_CAPACITY = 100; // Maximum number of requests the bucket can hold
const LEAK_RATE = 1; // Number of requests processed per second
let currentBucketSize = 0; // Current number of requests in the bucket
let lastLeakTime = Date.now(); // Last time the bucket leaked

// Middleware to handle rate limiting
const leakyBucketLimiter = (req, res, next) => {
  const currentTime = Date.now();
  const timeElapsed = (currentTime - lastLeakTime) / 1000; // Time elapsed in seconds

  // Calculate how many requests have leaked out
  const leakedRequests = Math.floor(timeElapsed * LEAK_RATE);
  currentBucketSize = Math.max(0, currentBucketSize - leakedRequests);
  lastLeakTime = currentTime;

  if (currentBucketSize < BUCKET_CAPACITY) {
    currentBucketSize++;
    next();
  } else {
    res.status(429).json({ message: 'Too many requests, please try again later.' });
  }
};

// Apply rate limiting middleware to all API routes
app.use('/api/', leakyBucketLimiter);

app.get('/api/data', (req, res) => {
  res.json({ message: 'This is your data' });
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});

Explanation of the Code

  1. Importing Modules:

    • express: A web framework for Node.js.

  2. Defining Constants:

    • BUCKET_CAPACITY: Maximum number of requests the bucket can hold.

    • LEAK_RATE: Number of requests processed per second.

    • currentBucketSize: Current number of requests in the bucket.

    • lastLeakTime: Last time the bucket leaked.

  3. Middleware Function:

    • leakyBucketLimiter: Middleware function to handle rate limiting.

    • Calculates the time elapsed since the last leak.

    • Determines how many requests have leaked out based on the elapsed time and leak rate.

    • Updates the current bucket size.

    • If the bucket is not full, increments the bucket size and allows the request to proceed.

    • If the bucket is full, responds with a 429 status code indicating too many requests.

  4. Applying Middleware:

    • app.use('/api/', leakyBucketLimiter);: Applies the rate limiting middleware to all routes under /api/.

  5. Defining Routes:

    • app.get('/api/data', (req, res) => { res.json({ message: 'This is your data' }); });: Defines a simple GET route that returns a JSON response.

Starting the Server:

  • app.listen(3000, () => { console.log('Server running on port 3000'); });: Starts the server on port 3000.

Potential Pitfalls and Common Mistakes

  1. Incorrect Configuration: Ensure that the rate limits are appropriately configured to match the server's capacity and the expected traffic.

  2. Lack of Monitoring: Regularly monitor the effectiveness of your rate-limiting implementation to adjust thresholds and detect anomalies.

  3. Ignoring Client-Side Impact: Be mindful of how rate limiting affects the user experience, and provide clear messaging when limits are exceeded.

Conclusion

In this article, you have learned the significance of rate limiting in web development, and its role in preventing abuse, ensuring fair usage, managing costs, enhancing security, and improving performance. You have also gained insights into two popular rate-limiting techniques: Token Bucket and Leaky Bucket, along with practical implementations in Express.js. Understanding and implementing these techniques can help you manage traffic flow, maintain server health, and provide a better user experience in your applications.

Thank you for reading my article! If you find it helpful or interesting, please consider sharing it with your developer friends. For more content like this, don't forget to follow me on HashNode.

If you're interested in learning more about Rate Limit and other web development topics, consider subscribing to my blog or newsletter. You'll receive updates whenever I publish new articles.

I'd love to hear about your experiences with Rate Limit. Feel free to share your thoughts or any interesting use cases in the comments section below.

Connect with me on Twitter Github Linkedin

Thank you for Reading :)

Web DevelopmentAPIsratelimitExpressNode.jsbackend developmentsSoftware Engineeringsoftware developmentnodeJS Developernode