undefined | Better HN

0 pointsafarah111mo ago0 comments

Honest question, why is rate limiting insufficient?

Can be done in two lines in nginx which is not just a common web server but also used as an API gateway or proxy.

You can rate limit by IP pretty aggressively without affecting human traffic.

0 comments

One /24 of IP’s hammering on your website at a rate limited 2 rps is still a combined 500/s. I’m not sure many sites can sustain that.

evantbyrne11mo ago

For a public website? Well if you don't have thousands of pages, then the solution would be as simple as installing Varnish, which is good practice anyways. If you actually have enough unique paths for an unauthenticated botnet to saturate, well that's a bit more complicated.

Aeolun11mo ago

Many sites hosted on Vercel, I suppose. If sites are hosted on nginx/varnish I’d be surprised if they didn’t do an order of magnitude more.

1 more reply

ndriscoll11mo ago

If you're using nginx as a proxy like the above commenter suggested, then if you're serving static/cached pages (should be able to for most public pages?), it can do over 10k RPS even on my n100 minipc (the limit there is actually the 1 Gbit NIC).

j / k navigate · click thread line to collapse

0 pointsafarah111mo ago0 comments

Honest question, why is rate limiting insufficient?

Can be done in two lines in nginx which is not just a common web server but also used as an API gateway or proxy.

You can rate limit by IP pretty aggressively without affecting human traffic.

0 comments

Aeolun11mo ago

One /24 of IP’s hammering on your website at a rate limited 2 rps is still a combined 500/s. I’m not sure many sites can sustain that.

evantbyrne11mo ago

Aeolun11mo ago

Many sites hosted on Vercel, I suppose. If sites are hosted on nginx/varnish I’d be surprised if they didn’t do an order of magnitude more.

1 more reply

ndriscoll11mo ago

j / k navigate · click thread line to collapse