Request Rate Limiting

June 17th, 2020


Mango is capable of limiting the number of requests per period of time to protect against Denial of Service style attacks. The following settings are available via the env.properties file. The limiting algorithm works by allowing an initial burst of requests and then limits to a number of requests in the configured period of time. So for example a burstQuantity of 10 and quantity of 2 for 1 Second will limit the specific requester to 10 requests in the first second and 2 per second for every second thereafter.

REST API Limits

REST API limiting is enabled by default for anonymous users.

rateLimit.rest.anonymous.enabled=true
rateLimit.rest.anonymous.burstQuantity=10
rateLimit.rest.anonymous.quanitity=2
rateLimit.rest.anonymous.period=1
rateLimit.rest.anonymous.periodUnit=SECONDS

REST API limiting is disabled by default for authenticated users.

rateLimit.rest.user.enabled=false
rateLimit.rest.user.burstQuantity=20
rateLimit.rest.user.quanitity=10
rateLimit.rest.user.period=1
rateLimit.rest.user.periodUnit=SECONDS

Authentication Limits

All authentication attempts are rate limited and enabled by default. There are 2 types of limiting. First the limit per IP address, which limits all authentication attempts from a given IP address:

rateLimit.authentication.ip.enabled=true
rateLimit.authentication.ip.burstQuantity=5
rateLimit.authentication.ip.quanitity=1
rateLimit.authentication.ip.period=1
rateLimit.authentication.ip.periodUnit=MINUTES

Second is the Username limiting which occurs from any IP address against the same username. It is enabled by default and has the following settings:

rateLimit.authentication.user.enabled=true
rateLimit.authentication.user.burstQuantity=5
rateLimit.authentication.user.quanitity=1
rateLimit.authentication.user.period=1
rateLimit.authentication.user.periodUnit=MINUTES

Copyright © 2020 Radix IoT, LLC.