DEV Community

Cover image for Rate Limiter in System Design - Part 1: Concepts and Applications
Le Xuan Kha (Leo)
Le Xuan Kha (Leo)

Posted on • Edited on

Rate Limiter in System Design - Part 1: Concepts and Applications

What is Rate Limiter

In the simplest terms, a Rate Limiter restricts the number of access requests to a resource on a system from an agent (such as a user, browser, or another server) within a specific time frame.

Based on several rate limiting techniques, when a violation or a defined threshold is reached, those requests will be blocked from accessing the system.

The three key elements emphasized here are: quantity, agent, and time, which are also the core concepts of a Rate Limiter. These elements will be the focus of today's article.

Rate Limiters in Practical Examples

Surely, you may have encountered or witnessed one of the following situations:

  • "The PIN for the card has been entered incorrectly more than 5 times. Please contact the bank to unlock the card."

  • In some applications, when you enter the wrong password multiple times, you receive a notification similar to: "The number of requests exceeds the allowed limit".

  • Typically, IP addresses from somewhere are easily blocked by foreign e-commerce websites due to previous attacks.

  • When you request an OTP (One-Time Password) too many times within a minute, you have to wait until the designated time has passed before requesting a new OTP message.

These are examples of practical situations where rate limiters or similar mechanisms are implemented to control and manage access, ensure security, and prevent abuse or unauthorized usage.

Image description

If you pay close attention, you will notice that examples 1 and 2 are related to the quantity factor, example 3 addresses the agent factor, and finally, we have the time factor. These are indeed the core elements of a Rate Limiter, and a proper Rate Limiter typically combines all three of these factors together.

Why do we need Rate Limiters?

While the necessity of Rate Limiters depends on the specific system, in small to medium-scale environments, it may not be as critical for certain tasks. However, as systems grow larger in scale, it becomes increasingly important to consider and prioritize Rate Limiters. Here are some reasons why:

Security: One of the primary reasons to implement Rate Limiters is to enhance security. They help mitigate various types of attacks, including Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks. Rate Limiters can also protect against brute force attacks, credential stuffing attacks, web scraping, and other malicious activities.

Resource Balancing: Rate Limiters ensure that server resources are not overloaded and that resources are allocated fairly and reasonably to each user on the system. By controlling the rate of access, Rate Limiters help prevent resource exhaustion and ensure a smooth and efficient operation of the system.

Cost Savings: Having controlled access to resources can contribute to minimizing the overall system costs. By preventing excessive usage and optimizing resource allocation, Rate Limiters can help reduce infrastructure expenses and mitigate the need for additional resources due to uncontrolled growth.

In summary, Rate Limiters are crucial for larger-scale systems as they play a significant role in maintaining security, balancing resource utilization, and optimizing costs.

Some commonly used algorithms in Rate Limiters include:

Leaky Bucket: The Leaky Bucket algorithm regulates the rate of requests by imagining a bucket that can hold a certain number of tokens. Tokens are added to the bucket at a fixed rate, and each request consumes a token. If the bucket is full and a request arrives, it is considered to be overflowing and can be limited or discarded.

Fixed Window Counter: This algorithm counts the number of requests within a fixed time window. If the count exceeds a predefined threshold, subsequent requests can be limited or blocked until the next window starts.

Sliding Window Log: The Sliding Window Log algorithm maintains a log of request timestamps within a sliding time window. It calculates the number of requests within the window and compares it against a defined limit. If the limit is exceeded, requests can be limited or rejected.

Sliding Window Counter: Similar to the Fixed Window Counter, this algorithm counts the number of requests within a sliding time window. However, it allows more flexibility by continuously sliding the window instead of using fixed time intervals.

In Part 2 of the article, I will provide detailed explanations of these algorithms. Stay tuned!

Thank you all for reading the article.

Top comments (0)