Approaches for application request throttling. Maarten

Similar documents
Rate-Limiting at Scale. SANS AppSec Las Vegas 2012 Nick

Developing ASP.NET MVC Web Applications (486)

Don t Tread on Me: Moderating Access to OSN Data with SpikeStrip

THE FLEXIBLE DATA-STRUCTURE SERVER THAT COULD.

Persistence & State. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Persistence. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Business Logic Attacks BATs and BLBs

Web Sockets and SignalR Building the Real Time Web

70-486: Developing ASP.NET MVC Web Applications

Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market. BADCamp 2017

EasyCrypt passes an independent security audit

How to perform the DDoS Testing of Web Applications

SOAP to Amazon MWS Migration Guide Contents

Lecture 9a: Sessions and Cookies

Starting the Avalanche:

TCP Tuning for the Web

The Z-Files: Field reports from the world of business critical PHP applications

Scalability, Performance & Caching

Scalability, Performance & Caching

Improve Web Application Performance with Zend Platform

Computer Networks. Wenzhong Li. Nanjing University

Distributed Architectures & Microservices. CS 475, Spring 2018 Concurrent & Distributed Systems

Developing Microsoft Azure Solutions (70-532) Syllabus

CSCE 463/612 Networks and Distributed Processing Spring 2018

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Caching-In for SharePoint Performance. Sean McDonough Product Manager, SharePoint Products Idera

Developing Microsoft Azure Solutions (70-532) Syllabus

70-487: Developing Windows Azure and Web Services

Enabling Performance & Stress Test throughout the Application Lifecycle

LUCITY REST API INTRODUCTION AND CORE CONCEPTS

HTTP Security Headers Explained

Life as a Service. Scalability and Other Aspects. Dino Esposito JetBrains ARCHITECT, TRAINER AND CONSULTANT

Rate Limit per Subscription (per API): Individual rate and count settings are applied (as per service level).

Using WebGallery, WebDeploy and some IIS Extensions

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

FAST, FLEXIBLE, RELIABLE SEAMLESSLY ROUTING AND SECURING BILLIONS OF REQUESTS PER MONTH

Yioop Full Historical Indexing In Cache Navigation. Akshat Kukreti

Information Retrieval Spring Web retrieval

FLAT DATACENTER STORAGE. Paper-3 Presenter-Pratik Bhatt fx6568

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

Only applies where the starting URL specifies a starting location other than the root folder. For example:

Scaling DreamFactory

Vlad Vinogradsky

Checklist for Testing of Web Application

Web scraping and social media scraping introduction

8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6

Improve WordPress performance with caching and deferred execution of code. Danilo Ercoli Software Engineer

Think Small to Scale Big

Tolerance Documentation

68% 63% 50% 25% 24% 20% 17% Credit Theft. DDoS. Web Fraud. Cross-site Scripting. SQL Injection. Clickjack. Cross-site Request Forgery.

Best Practices for Integrating with ebay RESTful APIs

Developing ASP.NET MVC 5 Web Applications. Course Outline

Grapevine web hosting user manual. 12 August 2005

CS47300: Web Information Search and Management

PHP Composer 9 Benefits of Using a Binary Repository Manager

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

Building mobile app using Cordova and AngularJS, common practices. Goran Kopevski

MySQL Performance Optimization and Troubleshooting with PMM. Peter Zaitsev, CEO, Percona

Large-Scale Web Applications

Sessions. Mendel Rosenblum. CS142 Lecture Notes - Sessions

Caching-In for SharePoint Performance. Sean McDonough Product Manager, SharePoint Products Idera

Lecture Outline. Bag of Tricks

Questions answered in this lecture: CS 537 Lecture 19 Threads and Cooperation. What s in a process? Organizing a Process

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.

Simple AngularJS thanks to Best Practices

Lecture 12. Application Layer. Application Layer 1

Making Session Stores More Intelligent KYLE J. DAVIS TECHNICAL MARKETING MANAGER REDIS LABS

Screw You and the Script You Rode in On

Web, HTTP and Web Caching

Performance Case Study

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

Bullet Cache. Balancing speed and usability in a cache server. Ivan Voras

Big Data Analytics CSCI 4030

Send document feedack to

Cloudflare Advanced DDoS Protection

Browser behavior can be quite complex, using more HTTP features than the basic exchange, this trace will show us how much gets transferred.

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

The Lion of storage systems

Developing Web Applications with Geocoding and Routing Services Using ArcGIS Online. Deelesh Mandloi Dmitry Kudinov Brad Niemand

CS105 Perl: Perl CGI. Nathan Clement 24 Feb 2014

20486 Developing ASP.NET MVC 5 Web Applications


Getting notified by the Microsoft Graph with Webhooks. Elio Struyf U2U MVP September 9th, 2017

20486: Developing ASP.NET MVC 4 Web Applications

Lightstreamer. The Streaming-Ajax Revolution. Product Insight

The Application Layer HTTP and FTP

Rocking with Racket. Marc Burns Beatlight Inc

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

Beta Mobile app Testing guidelines

Developing ASP.Net MVC 4 Web Application

Understanding Perimeter Security

DATABASE SYSTEMS. Database programming in a web environment. Database System Course,

Web Robots Platform. Web Robots Chrome Extension. Web Robots Portal. Web Robots Cloud

Backend Development. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Open-Xchange App Suite Minor Release v Feature Overview V1.0

N different strategies to automate OWASP ZAP

COURSE 20486B: DEVELOPING ASP.NET MVC 4 WEB APPLICATIONS

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

IBM Security QRadar Deployment Intelligence app IBM

Transcription:

Approaches for application request throttling Maarten Balliauw @maartenballiauw 1

Who am I? Maarten Balliauw Antwerp, Belgium Developer Advocate, JetBrains Founder, MyGet AZUG Focus on web ASP.NET MVC, Azure, SignalR,... Former MVP Azure & ASPInsider Big passion: Azure http://blog.maartenballiauw.be @maartenballiauw 3

Agenda Users and traffic patterns Rate limiting and considerations Which resources? Which limits? Who to limit? Who not to limit? What when a limit is reached? Where to limit? 4

Users... 5

MyGet Hosted private package repository www.myget.org NuGet, NPM, Bower, Maven, VSIX, PHP Composer, Symbols,... HTTP-based Web UI for managing things API for various package managers PUT/POST Upload package DELETE Delete package via API GET Fetch metadata or binary 6

We re using background workers Example: package upload PUT/POST binary and metadata to front-end PackageAddedEvent on queue with many handlers handled on back-end ProcessSymbols UpdateLatestVersion Indexing... 7

What could possibly go wrong... Too many uploads incoming! Front-end IIS server needs workers to read the incoming network stream Application logic has to check credentials, subscription, quota Back-end Delays in queue processing (luckily workers can process at their own pace) Too many uploads that are too slow! Front-end IIS server needs lots of workers to slowly copy from the network stream Workers == threads == memory == synchronization == not a happy place 8

What could possibly go wrong... Too many downloads! Application logic has to check credentials, subscription, quota 404 s still need that application logic... Package managers are crazy! Total # requests Total # 404 s % 404 s # of packages in solution 200 800 600 # on NuGet.org 190 200 10 5% # on MyGet feed 1 5 200 195 97,5% # on MyGet feed 2 4 200 196 98% # on company-internal TeamCity 1 200 199 99,5% 9

Other examples Web UI requests Trying to register spam accounts Trying to brute-force login/password reset Trying to validate credit card numbers via a form on your site Robots / Crawlers Imagine a spider adding 20k items to a shopping cart For us, usually fine (e.g. Googlebot by default up to 5 req/sec) Limiting is easy with rel= nofollow and robots.txt crawl-delay 12

Recent, real-life example 13

Rate limiting! (or throttling ) 14

Rate limiting what? Limits # of requests in a given timeframe Or limits bandwidth, or another resource up to you Helps eliminate: Unexpected traffic patterns Unwanted traffic patterns (e.g. script kiddie brute-force login) Potentiallly damaging traffic patterns (accidental and malicious) 15

Rate limit everything. - Maarten Balliauw 16

Rate limiting everything??? Everything that could slow down or break your application Typically everything that depends on a scarce or external resource CPU Memory Disk I/O Database External API So yes, everything... 17

Let s do this! Database with table Events UserIdentifier who do we limit ActionIdentifier what do we limit When event timestamp so we can apply a query Filter attribute SELECT COUNT(*) FROM Events WHERE UserIdentifier = <user> AND ActionIdentifier = <action> AND When >= NOW() X INSERT INTO Events (<user>, <action>, NOW()) DELETE FROM Events WHERE UserIdentifier = <user> AND ActionIdentifier = <action> AND When < NOW() X 18

Let s do this! demo 19

Rate measuring 20

That database was a bad idea! Very flexible in defining various limits or doing combinations Very flexible in changing limits, e.g. changing the time period The database will suffer at scale... Every request is at least 2 3 queries Constant index churn We need to manually run DELETE to remove old events Database size! 21

That database was a bad idea! We created a denial of service opportunity! SELECT, INSERT, DELETE for every request Consider a simpler technique to limit # of operations Ideally just a simple counter Buckets 22

Quantized buckets Create buckets per <identifier> and <timespan> Use incr <bucket> on Redis and get back the current count per <timespan> public string GetBucketName(string operation, TimeSpan timespan) { var bucket = Math.Floor( DateTime.UtcNow.Ticks / timespan.totalmilliseconds / 10000); } return $"{operation}_{bucket}"; Console.WriteLine(GetBucketName("someaction", TimeSpan.FromMinutes(10))); // someaction_106062120 <-- this will be the key for +/- 10 minutes 24

Quantized buckets Super easy and super cheap (atomic write and read on Redis, auto-expire LRU) Not accurate... (but that may be ok) (n-1)x2 / 10 sec Theoretically: max. 6 / 10 sec 25

Leaky bucket Imagine a bucket where water is poured in at the top and leaks from the bottom. If the rate at which water is poured in exceeds the rate at which it leaks, the bucket overflows. Widely used in telecommunications to deal with bandwidth/bursts. 26

Bucket algorithms demo 27

Bucket approaches QUANTIZED BUCKET Create buckets per <identifier>_<timespan> No rolling window (new bucket every <timespan>) Simple key/value store is sufficient, 1 atomic read+write Old keys can auto-expire (unlike our DB approach) LEAKY BUCKET Get <delta> tokens, with maximum <count> per <timespan> Rolling window, smooths traffic, allows bursts when bucket has capacity Need to store # tokens, last refill, concurrency needs to be taken into account Or use a FIFO queue of timestamps (works great with Redis sorted set) 28

Redis sorted set as a bucket Demo 29

Cool! That s it, right? 30

Deciding on limits 31

Things to decide on Decide on the resources to limit Decide on a sensible limit Come up with an identifier to limit on Decide on exceptions to the rule 32

Which resources to limit?... 33

Rate limit everything. - Maarten Balliauw 34

What are sensible limits? Approach 1 1. Figure out current # of requests for a certain resource 2. Set limits 3. Get angry phone calls from customers Approach 2 1. Figure out current # of requests for a certain resource 2. Set limits, but only log when a request would be limited 3. Analyze logs, set new limits,... 4. Start rate limiting 5. Keep measuring 35

Will you allow bursts or not? Laddering! Different buckets per identifier and resource... 10 requests per second can be 36000 requests per hour. But 10 requests per second could also be 1000 requests per hour. Bucket Operation A Operation B Operation C Per second 10 10 100 Per minute 60 60 500 Per hour 3600 600 500... Steady flow of max. 10/sec Steady flow of max. 10/sec, but only 600/hour max. Bursts of up to 100/sec, but only 500/hour max. 36

What will be the identifier? Per IP address? But what with NAT/proxy? Per user? But how do you limit anonymous users? Per session? But what when the user starts a new session for every request? Or what if there is no such thing as a session? Per browser? But everyone uses Chrome! 37

What will be the identifier? Probably a combination! IP address (debatable) + User token (or anonymous ) + Session token + Headers (user agent + accept-language + some cookie +...) 38

Decide on exceptions Do we rate limit all users? Do we have separate limits for certain users? Dynamic limiting Do we rate limit all IP addresses? What about ourselves? What about our monitoring tools? What about web crawlers? What about certain datacenter ranges? (https://github.com/client9/ipcat) IP addresses that end web consumers should not be using" 39

Responding to limits 40

What when the user hits the limit? Do we just black hole and close the connection? Do you tell the user? API: status code 429 Too Many Requests Web: error page stating rate limit exceeded / captcha (StackOverflow) 41

Try to always tell the user Format? Depends on Accept header (text/html vs. application/json) Tell them why they were throttled Can be a simple link to API documentation Tell them when to retry (e.g. GitHub does this even before rate limiting) Status: 200 OK X-RateLimit-Limit: 5000 X-RateLimit-Remaining: 4999 X-RateLimit-Reset: 1372700873 42

Where do we limit? 43

Rate limiting where? MvcThrottle Runs as action filter Requests per timespan Per action, user, IP,... (so knows about actions) Owin.Limits Runs as OWIN middleware Bandwidth, concurrent requests,... No knowledge about application specifics Many, many others 44

MvcThrottle Demo 45

How far do we allow traffic before saying no? KNOWLEDGE ABOUT THE OPERATION RESOURCES SPENT 46

How far do we allow traffic before saying no? KNOWLEDGE ABOUT THE OPERATION RESOURCES SPENT 47

What options are there? In our application ActionFilter / Middleware / HttpModule /... Easy to add custom logic, based on request details On the server Outside of our server Outside of our datacenter 48

What options are there? In our application On the server IIS has dynamic IP restrictions, bit rate throttling, <limits /> Kestrel minimum speed throttle Found these less flexible in terms of configuraton... E.g. IIS dynamic IP restrictions returns 403 Forbidden, wth! Not a big fan, as these are usually HttpModules anyway (and thus hit our app) Outside of our server Outside of our datacenter 49

What options are there? In our application On the server Outside of our server Reverse proxy (IIS Application Request Routing, NGinx, HAProxy, Squid,...) Traffic does not even hit our application server, yay! Outside of our datacenter 50

Rate limiting with NGinx Demo 51

What options are there? In our application On the server Outside of our server Outside of our datacenter Azure API management, CloudFlare Filters traffic very early in the request, yay! Often also handle DDoS attacks Often more expensive 52

Conclusion 54

Conclusion Users are crazy! (typically unintended) We need rate limiting Decide on the resources to limit (tip: everything) Decide on a sensible limit (tip: measure) Come up with an identifier to limit on Decide on exceptions What when the user reaches a limit? Decide where in the request/response flow to limit 55

Thank you! http://blog.maartenballiauw.be @maartenballiauw 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback