A Rate Limiter controls the frequency of requests allowed for a client or IP. It is vital for protecting APIs from abuse and DoS attacks.
1. Popular Algorithms
- Token Bucket: A bucket has a max capacity of N. Tokens arrive at rate R. Each request costs one token. Allows bursts.
- Leaky Bucket: Requests enter a queue and are processed at a fixed rate. Smoothes out traffic.
- Sliding Window Log: Store timestamps for each request in Redis Sorted Set. High precision but memory-expensive.
- Sliding Window Counter: Hybrid approach using weighted averages of previous and current minute counters. Best balance of memory and accuracy.
2. Distributed Rate Limiting
When you have multiple app servers, you need a shared store (Redis) to keep track of counters globally.
Race Conditions: Use Lua scripts in Redis to ensure that "Read-Modify-Write" operations on counters are atomic.
3. Performance Optimization
Rate limiting middleware should be at the API Gateway level. Use Local Caching with periodic sync to Redis to reduce network overhead for extremely hot API keys.