-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rate limit by subnet and differentiate by userid #427
Comments
Grizz asked: "do we want to rate limit differently for auth vs non auth?" I responded: "Always nice to have the flexibility, even if the initial setting is the same. :-) I'd keep them the same initially and tune from there." |
I think it makes sense to rate-limit differently based on authed or not-authed. |
@peeringdb/pc can we have consensus to implement and close that? +1 from me |
+1 |
ok, someone else then? @peeringdb/pc |
+1 I think it's fine to start with a global rate limit (not accounting for authentication status), but I am also happy if it gets implemented based on authentication status. |
+1 - I'd say we should aggregate by cidr for unauthed users, and by api key (#266) for authed users. Ideally we'd have a rate limit for authed users that's higher than for unauthed users, and some configuration ops can tweak per API key if someone is appropriating the default rate limit and needs it raised (or lowered!). |
Summary If unauthed, aggregate by If authed, have a global default, but allow override on a per user or auth key basis. |
From my perspective on @peeringdb/oc , this is needed. We've got more and more clients performing automated queries and need ways to be able to balance those against human requests. |
@grizz , when you wrote:
I just want to clarify you aren't intending to limit this to http: requests with |
@grizz wrote:
@arnoldnipper wrote:
@grizz, I would like to see an in-database per-user rate limit knob for both API and GUI queries. Ex. user 'joe' could be limited to 10 qps to the GUI and 5 qps to I think Ops/@peeringdb/oc needs to be able to change the global defaults, for auth and unauthed users, without needing to modify the internals of a container or the env on each instance, as apparently required by #311. Ie. as part of the database, but the parent process would need to periodically (ex. once per minute) yet efficiently poll for changes to the config. it would also be great if we could rate-limit particular unauth CIDR blocks, via entries in the database, broken down by API vs. GUI queries. Ex. global unauth rate of 100 qps for API & GUI, 192.0.2/24 @ 20 qps for API and 30 qps for GUI, and 2001:DB8::/32 @ 5 qps for API and 10 qps for GUI. This would be in addition to applying the global unauth rate to aggregate /24's & /64's, also broken down by API vs. GUI query method. Also, we need to know when rate limiting is actually happening, and based on which rule. It either needs to be logged (periodically, after first limiting of a specific type) to the django log or to the database. |
@ccaputo agree completely, that makes sense. This will also need to have a separate endpoint for GUI API calls. |
What are GUI API calls, @grizz? |
/api/ calls performed in the service of GUI requests. Ex. "POST /api/netixlan" when adding one's network record at an IX. |
Isn't then every GUI call a GUI API call? |
I believe @grizz is referring to /api/ usage as a result of certain web/GUI interactions. Most web/GUI usage does not utilize /api/ requests, but some does, such as those that result in {POST|PUT|DELETE} operations. |
Yes, @ccaputo is correct. The page will load without any API calls, but to interact with it, it's all API calls. GUI Api calls would essentially be adding a QoS layer to user interaction. @arnoldnipper That was coming from a thread on the ops mailing list, sorry for not putting a bit more description to go along with it. |
Out of curiosity, @grizz. How is the data retrieved? |
From a database read |
A couple of observations:
|
First I should say: It has been a while since this issue has been touched, and it may no longer be needed. API rate limiting of duplicate requests and query rates have been addressed with other issues. Non-API rate limiting may not be needed.
The workaround for a user impacted by throttling, is to login.
While not a DB dump per se, peeringdb-py is very similar to this. It provides an incremental update mechanism with a rapid initial dump, consisting of a single HTTP GET per object type.
IP addresses are routinely logged these days. I don't recall the specifics, but years ago we may not have been logging accurate source IPs due to the use of a load balancer front end, and a failure to parse the actual remote user IP. These days we do store the actual remote user IPs in access logs. Broken scripts or scripts written by people who do not understand the costs, or fail to understand the tragedy of the commons, or fail to include delays, can come from a variety of sources. Many of the sources end up being in various clouds, using address space completely unrelated to the interested party or organization, from an RIR lookup standpoint.
Current throttle limits do not prevent an anonymous user from running The AUP supports the use of peeringdb-py for Internet operational purposes within an organization. |
I can personally confirm this to be 100% false as of yesterday (which is kinda what prompted me to even search GH Issues). I ran a EDIT: After a very brief glance at the server throttling code, I suspect (but cannot confirm) that this might have something to do with the Anon request size limit rather than the rate limit -- if that's enabled on the production server. |
Sorry for the problems. I have analyzed the logs of anonymous peeringdb-py clients and have now raised the throttle setting from 10 requests per minute to 20 requests per minute. Hopefully that will be sufficient for Please report back if this helps things. After testing and hopefully confirming improvement, I highly recommend authenticating using an API key since there may be a future in which authentication is required in order to run peeringdb-py without problems. |
Since the anonymous limit change from 10 qpm to 20 qpm some 21 hours ago, |
My perspective of current throttling and the user education that has happened in the last year, and associated increase in users working to query PeeringDB more efficiently and/or take advantage of tools such as: https://docs.peeringdb.com/howto/api_keys/ is that we may no longer need to drill down to the level of throttling proposed by this issue. Keeping in mind @grizz's Summary should we need to revisit this topic:
if there are no objections, I intend to close this issue in a week. |
Keeping in mind closed "implement rate limiting #311" (#311), we are seeing queries from people randomizing their source IP within a single subnet. Thus the rate limiting system should group IPv4 /24s and IPv6 /64s so that queries from a single subnet are rate limited with other hosts from the same subnet and same userid or lack of userid.
The later is important because we don't want different logged in users at a conference to all be rate limited together, whether coming from the same subnet or being NATed.
The text was updated successfully, but these errors were encountered: