Possible/partial duplicates:
- What’s a good rate limiting algorithm?
- Throttling method calls to M requests in N seconds
- Best way to implement request throttling in ASP.NET MVC?
I am looking for the best way to implement a moving time window rate limiting algorithm for a web application to reduce spam or brute force attacks.
Examples of use would be “Maximum number of failed login attempts from a given IP in the last 5 minutes”, “Maximum number of (posts/votes/etc…) in the last N minutes”.
I would prefer to use a moving time window algorithm, rather than a hard reset of statistics every X minutes (like twitter api).
This would be for a C#/ASP.Net app.
Use a fast memory-based hashtable like memcached. The keys will be the target you are limiting (e.g. an IP) and the expiration of each stored value should be the maximum limitation time.
The values stored for each key will contain a serialized list of the last N attempts they made at performing the action, along with the time for each attempt.