Hardware appliances can limit the rate of requests on layer 4 or 5 of the OSI model.
Web servers typically use a central in-memory key-value database, like Redis or Aerospike, for session management. A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
However, the session management and rate limiting algorithm usually must be built into the application running on the web server, rather than the web server itself.
Datacenters widely use rate-limiting to control the share of resources given to different tenants and applications according to their service level agreement. A variety of rate-limiting techniques are applied in datacenters using software and hardware. Virtualized datacenters may also apply rate-limiting at the hypervisor layer. Two important performance metrics of rate-limiters in datacenters are resource footprint (memory and CPU usage) which determines scalability, and precision. There usually exists a trade-off, that is, higher precision can be achieved by dedicating more resources to the rate-limiters. A considerable body of research exists with focus on improving performance of rate-limiting in datacenters.
- Token bucket
- Leaky bucket
- Fixed window counter
- Sliding window log
- Sliding window counter
- ASP.NET Web API rate limiter
- ASP.NET Core rate limiting middleware
- Rate-Limiting for .NET (PCL Library)
- Rate-Limiting for Node.JS
- Richard A. Deal (September 22, 2004). "Cisco Router Firewall Security: DoS Protection". Retrieved April 16, 2017.
- M. Noormohammadpour, C. S. Raghavendra, "Datacenter Traffic Control: Understanding Techniques and Trade-offs," IEEE Communications Surveys & Tutorials, vol. PP, no. 99, pp. 1-1.
- Nikrad Mahdi (April 12, 2017). "An Alternative Approach to Rate Limiting". Retrieved April 16, 2017.