Throughput rate limitation

A throughput rate limit , usually referred to as a throughput limit for short , is a stability pattern . It is used in computer networks to limit the network traffic at certain interfaces. This is especially used to protect a network from DoS attacks .

Hardware implementations

Hardware implementations can limit the throughput in OSI layers 4 and 5.

Transport layer

Using the ECN protocol , the throughput rate can be controlled by the network scheduler and router on the transport layer .

Solutions that are based on the transport layer are very high-performance, but can only be used to a limited extent. If z. If, for example, there is a large number of customers of an Internet provider masked by NAT behind a single IP address , this can lead to unwanted blocking of the address.

Session shift

Deep Packet Inspection (DPI) can be used to limit throughput using hardware on the session layer . However, the DPI overrides the encryption using TLS and SSL between the hardware implementation and the web server .

Web server

Web servers typically use an in-memory key value database such as Redis or Aerospike to store the sessions. A throughput limitation algorithm implemented in the server or the web application is used to check whether a session has to be limited. Here the limitation is made on the session layer .

If too many requests are made within a time unit, an HTTP web server responds using the HTTP status code 429 .

swell

^ Richard A. Deal: Cisco Router Firewall Security: DoS Protection. September 22, 2004, accessed April 16, 2017 .
↑ ^a ^b ^c ^d Nikrad Mahdi: An Alternative Approach to Rate Limiting. April 12, 2017, accessed April 16, 2017 .

[cisco-1] Richard A. Deal: Cisco Router Firewall Security: DoS Protection. September 22, 2004, accessed April 16, 2017 .

[algo-2] Nikrad Mahdi: An Alternative Approach to Rate Limiting. April 12, 2017, accessed April 16, 2017 .