DEV Community

Rodney Otieno
Rodney Otieno

Posted on • Edited on

How to Stop DDoS Attacks in in Go with Rate Limiting

Rate limiting is one of the most effective techniques to mitigate DDoS attacks. Among its variations, per-IP rate limiting stands out for its targeted approach: it enforces request limits individually for each client, based on their IP address. This prevents any single user from overwhelming the server while maintaining a fair level of access for legitimate users.

In this article, we’ll cover how per-IP rate limiting works, why it is one of the best strategies to stop DDoS attacks, and how to implement it in Go using the rate package.

Why Rate Limiting

Rate limiting is widely used because it balances security and usability. Here’s why it’s a preferred approach:

  1. Efficient Resource Management: By limiting the number of requests from each client, servers can avoid being overwhelmed, even during an attack.
  2. Fairness: Legitimate users can continue to access the server while malicious clients are throttled.
  3. Customizable: Rate limits can be adjusted based on use cases, such as different limits for public APIs versus private services.
  4. Scalability: Rate limiting mechanisms scale well with modern infrastructure, especially when combined with load balancers or reverse proxies.

How it Compares to Other Techniques

  1. Firewall Rules: Block traffic at the network level based on predefined rules. While effective for large-scale filtering, it’s less flexible and can block legitimate users during false positives.
  2. Content Delivery Networks (CDNs): Distribute traffic across multiple servers. While great for reducing the impact of DDoS, CDNs don’t address abusive traffic at the application level.
  3. Proof of Work (PoW): Requires clients to solve computational puzzles before accessing the server. Effective but adds latency for legitimate users and can be resource-intensive for clients.
  4. Rate Limiting: Offers fine-grained control, scales well, and doesn’t add significant overhead. It’s often the best choice for protecting application-level endpoints.

Implementation

In per-IP rate limiting, a separate limiter is maintained for each client IP. Here’s how to implement it using the golang.org/x/time/rate package.

Step 1: Install the Required Package

The rate package is part of Go’s extended modules. Install it with:

go get golang.org/x/time/rate
Enter fullscreen mode Exit fullscreen mode

Step 2: Code the Per-IP Rate Limiter

package main

import (
    "fmt"
    "net/http"
    "sync"
    "time"

    "golang.org/x/time/rate"
)

var (
    mu       sync.Mutex
    visitors = make(map[string]*rate.Limiter)
)

// getVisitor retrieves the rate limiter for a given IP, creating one if it doesn't exist.
func getVisitor(ip string) *rate.Limiter {
    mu.Lock()
    defer mu.Unlock()

    limiter, exists := visitors[ip]
    if !exists {
        limiter = rate.NewLimiter(1, 5) // 1 request/second, burst of 5
        visitors[ip] = limiter

        // Clean up limiter after 1 minute of inactivity
        go func() {
            time.Sleep(1 * time.Minute)
            mu.Lock()
            delete(visitors, ip)
            mu.Unlock()
        }()
    }
    return limiter
}

// rateLimitedHandler applies the per-IP rate limit
func rateLimitedHandler(w http.ResponseWriter, r *http.Request) {
    ip := r.RemoteAddr
    limiter := getVisitor(ip)

    if !limiter.Allow() {
        http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)
        return
    }
    fmt.Fprintln(w, "Request successful.")
}

func main() {
    http.HandleFunc("/", rateLimitedHandler)
    fmt.Println("Starting server on :8080")
    http.ListenAndServe(":8080", nil)
}

Enter fullscreen mode Exit fullscreen mode

Explanation

  1. Visitors Map: Maintains a rate.Limiter for each IP address. The visitors map holds these limiters, keyed by IP addresses (r.RemoteAddr). When a request comes in, the getVisitor function checks if a limiter already exists for the IP.
  2. Limiter Creation: Each limiter allows 1 request per second with a burst of 5. A a new limiter is created with specific rules (1 request per second with a burst capacity of 5) if one doesn’t exist. The limiter allows some initial burst of requests but enforces a steady rate thereafter.
  3. Automatic Cleanup: A goroutine cleans up idle limiters after 1 minute to save memory.To prevent memory growth, the code includes a cleanup mechanism. A goroutine is started whenever a new limiter is created, and it waits for 1 minute of inactivity before removing the corresponding entry from the visitors map. This ensures that limiters are only kept for active clients.
  4. Rate Limiting Logic: The handler checks if the limiter allows the request. If the request exceeds the defined limit, it responds with a 429 Too Many Requests error; otherwise, it processes the request.

Per-IP rate limiting in Go is an excellent way to mitigate DDoS attacks at the application level. It provides precise control over traffic, ensuring that legitimate users can access your service while malicious users are effectively throttled.

This approach efficiently throttles abusive IPs without impacting legitimate users, offering a scalable and memory-efficient solution for mitigating DDoS attacks.

Top comments (1)

Collapse
 
golangch profile image
Stefan Wuthrich

Just to mention, a DDoS attack does not always mean that a backend system is attacked on the application level but is flooded with traffic (bandwidth), and this can not be defended this way but needs mitigation on the network level