A Few Notes on Ratelimiting
14 hours ago
- #GCRA
- #rate-limiting
- #email-security
- The author wrote articles to clarify and compare GCRA with a non-stupid version of the leaky bucket algorithm.
- Rate limiters can be configured with two parameters: limit and period, which determine the maximum average rate and burst size.
- The period is the time over which client behavior is averaged, and it affects how quickly the rate limiter forgets past behavior.
- Burst size can be adjusted by changing both the limit and period while keeping the average rate the same.
- The author shares an anecdote about setting rate limits for email servers to catch spam without delaying legitimate mail.
- Requests can have variable costs, such as bandwidth, which can be accounted for in rate limiting algorithms.
- Different modes of rate limiting are described: 'leaky', 'forgiving', and 'strict', each with varying levels of leniency.
- The 'leaky' mode is the most lenient, allowing occasional over-limit requests at the maximum permitted rate.
- The 'forgiving' mode rejects all requests while over the limit but starts accepting them once the client slows down.
- The 'strict' mode rejects all requests while over the limit and continues to reject them based on previous speed.
- The author shares another anecdote about the challenges of rate limiting email, especially with end-users and alumni offices.
- The solution for end-users was to use 'strict' mode and quarantine over-limit mail, inspecting samples to handle false positives.