tags:

views:

446

answers:

2
+4  Q: 

How can I implement server-side rate limiting for a Perl web service?

I have a Perl-based CGI/Fast CGI web service and want to rate-limit clients by IP address to stop aggressive clients causing too much work.

I have looked around for some code and found Algorithm::TokenBucket in CPAN but that is for client requests; it has no persistence and has no per-user config so is not really useful for server-side rate limiting.

I am looking for suggestions for something that already exists, otherwise I'll need to roll my own based on some simple persistence such as tie to DB_File per-IP address and some batch job that does the token management.

+4  A: 

I've used Cache::FastMmap for rate-limiting by tracking hits per IP address. It's a cache so data will expire over time, but if you set the size and expire time right, this shouldn't be an issue.

The IP address is the hash key and the hash value is an array of timestamps. I have a second data structure (also backed by Cache::FastMMap) which is a hash of banned IP addresses, updated according to the data from the first structure.

kixx  2009-02-01 20:41:31
I have had Cache::FastMmap expire entries way before their expiration time, and way before the cache is full (it is all about pages). With that in mind, I would use BDB instead, and manually expire stale records.
jrockway  2009-02-02 00:29:35
Well, I've decided on Cache::FastMmap for performance and concurrent access reasons and because *strict* rate-limiting was not required. The latter seems to apply here, I don't know about the former.
kixx  2009-02-02 08:30:15
+3  A: 

I know it's not what you asked, but have you considered handling this elsewhere in the stack where it's already been done for you? Clearly I don't know your deployment stack, but if it's apache you could use mod_evasive. Alternately if you're on Linux you could let iptables do its job using something like:

#Allow only 12 connections per IP
/sbin/iptables -A INPUT -p tcp --dport 80 -m conn-limit --connlimit-above 12 -j REJECT --reject-with tcp-reset

certainly more complicated rules are possible.

Ry4an  2009-02-02 04:06:57
I don't have access to the server config - it's shared hosting so I need the application level to deal with it, in this case perl since that's what I wrote it in.
dajobe  2009-02-11 04:20:26

related questions

Regex to replace Boolean with bool
How do I lock a file in Perl?
How do you use XML::Parser with Style => 'Objects'
Parsing XML Elements & Attributes with Perl
Regex to match all HTML tags except <p> and </p>
Best way to extract data from a FileMaker Pro database in a script?
What's the fastest way to determine a full URL from a relative URL (given a base URL).
Why can't I connect to my CAS server with Perl's AuthCAS?
Why can't I fetch wikipedia pages with LWP::Simple?
How do I perform a Perl substitution on a string while keeping the original?
How do I read in the contents of a directory in Perl?
How can Perl's system() print the command that it's running?
How can I test STDIN without blocking in Perl?
How do I tell if a variable has a numeric value in Perl?
Why doesn't my Perl map return anything?
How can I determine the type of a blessed reference in Perl?
Parsing attributes with regex in Perl
How do you retrieve selected text using Regex in C#?
Why does the Perl conditional operator not do what I expect?
Class::DBI-like library for php?
How do you create objects in Perl?
How do I remove duplicate items from an array in Perl?
Is The Perl Journal available online?
Can you force either a scalar or array ref to be an array in Perl?
What's the safest way to iterate through the keys of a Perl hash?