Author: Austin K. Smith
Website: Github
Description: 100% Vanilla Javascript Rate Limiting / DDOS Protection Library
License: Artistic License 2.0
Ration.js is 100% Vanilla Javascript Rate Limiting / DDOS Protection Library for use with Node.js / Express, inspired by Network Tarpits it works the same way to intentionally slow down requests from users who are making too many requests within a limited timeframe.
- Add Ration.js to your project using the instructions below
- Use npm install to add the project to your dependencies
npm install --save ration.js
- Require the npm module in your app.js file
const ration = require('ration.js');
// Declare Application
let app = express();
/* Set Ration.js Options */
const rations = {
maxRequestsPerTimeFrame: 600,
timeFrameInSeconds: 30,
removeRecordsAfter: (1000 * 60 * 5),
dropConnections: false
};
/* Initialize Ration.js */
rationjs.setRations(rations);
/* Use Ration.js */
app.use(rationjs.startRations);
- maxRequestsPerTimeFrame - This is the maximum number of requests you want to allow an unique visitor within the timeFrameInSeconds time period. Value should be an Integer - Defaults to 600.
- timeFrameInSeconds - This is the time frame you want to limit the number of requests within eg. Use 1 to limit requests by individual seconds - Defaults to 30
- removeRecordsAfter - This is the amount of time since the requestors last request that the requestors records are kept in memory - milliseconds - Defaults to 30000 (ie. 5 minutes).
- dropConnections - This new option changes how the library operates to forcabily drop connections from users who have exceeded their rations instead of processing requests with a delay.
The library acts as a middleware layer for incoming requests to your Node.js/Express application, with each unique visitor a request record is created and saved internally to keep track of time interval between each new request and the previous request. If the number of requests exceeds the set limit of requests within the set time threadshold, requests by the offending users are then delayed using a delayMultiplier, this delayMultiplier is doubled for each request exceeding the number of requests allowed within the set time.
If the time difference between the last request and the current request exceeds the removeRecordsAfter time frame setting, the request count for the user is reset to 1.
If there are no new requests from a unique visitor within the removeRecordsAfter time frame setting, their request records are removed automatically to prevent the visits log from growing using too much memory.