Aditya

Posted on Jun 12

Implement Rate Limiting in ASP.NET Core [.NET9]

#dotnet #ratelimit #security #aspdotnet

Introduction

Rate limiting is a critical mechanism for building resilient, secure, and scalable backend applications. In the world of ASP.NET Core, implementing effective rate limiting is straightforward, thanks to powerful libraries like AspNetCoreRateLimit. This article will guide you through the concept of rate limiting, its importance, and how to implement it in your ASP.NET Core projects.

What is Rate Limiting and Why is it Essential?

Rate limiting is a strategy for controlling the amount of incoming traffic to a network interface, an API, or an application. It restricts the number of requests a user or IP address can make within a specific time window.

Why is it important?

Security: Protects against various malicious attacks such as Denial-of-Service (DoS), Distributed Denial-of-Service (DDoS), and brute-force attacks on login endpoints.
Stability & Performance: Prevents resource exhaustion on your server by ensuring that no single client or group of clients can overwhelm the system with too many requests. This leads to better application stability and performance for all users.
Fair Usage: Ensures that all clients get fair access to shared resources, preventing a few "noisy neighbors" from degrading the service for others.
Cost Management: For services that rely on third-party APIs or cloud resources that charge per request or data transfer, rate limiting can help control costs by preventing excessive usage.

Problems Solved by Rate Limiting:

API Abuse: Prevents scripts or bad actors from scraping data or spamming your API.
Traffic Spikes: Helps manage sudden surges in traffic, ensuring the application remains responsive.
Resource Starvation: Avoids situations where a few heavy users consume all available server resources (CPU, memory, bandwidth).

Real-World Scenarios for Rate Limiting

Login Endpoints: Limit login attempts to prevent brute-force attacks.
Public APIs: Control the number of requests to ensure fair usage and protect backend services.
Resource-Intensive Operations: Limit requests to endpoints that trigger computationally expensive tasks.
Third-Party API Integrations: If your application acts as a gateway or proxy, rate limit requests to downstream services to stay within their usage quotas.
Data Export/Import Features: Prevent users from exporting or importing massive amounts of data too frequently.

Implementing Rate Limiting in ASP.NET Core [.NET 9] with `AspNetCoreRateLimit`

AspNetCoreRateLimit is a popular and flexible NuGet package that provides IP and client ID-based rate limiting middleware for ASP.NET Core applications.

Let's walk through the implementation steps.

Prerequisites

.NET SDK (This guide primarily targets .NET 6 and later, but concepts are similar for older versions).
An ASP.NET Core Web API project.

Step 1: Install the NuGet Package

Open your terminal or Package Manager Console and run the following .NET CLI command in your project directory:

dotnet add package AspNetCoreRateLimit

This command adds the necessary package to your project.

Step 2: Add the necessary DI and middleware in your `program.cs`:

//for .NET version 9
var builder = WebApplication.CreateBuilder(args);

//Rate limiter
builder.Services.AddMemoryCache();
builder.Services.Configure<IpRateLimitOptions>(builder.Configuration.GetSection("IpRateLimiting")); // Ensure this section exists in appsettings.json or is configured
builder.Services.Configure<IpRateLimitPolicies>(builder.Configuration.GetSection("IpRateLimitPolicies")); // Ensure this section exists in appsettings.json or is configured
builder.Services.AddInMemoryRateLimiting();
builder.Services.AddSingleton<IRateLimitConfiguration, RateLimitConfiguration>(); // Add this line
builder.Services.Configure<IpRateLimitOptions>(options =>
{
    options.EnableEndpointRateLimiting = true;
    options.StackBlockedRequests = false; // Do not stack blocked requests
    options.HttpStatusCode = 429; // Use HTTP 429 Too Many Requests status code
    options.RealIpHeader = "X-Real-IP"; // Use this header to get the real IP address
    options.ClientIdHeader = "X-ClientId"; // Use this header to identify clients
    options.GeneralRules =
    [
        new RateLimitRule
        {
            Endpoint = "*", //rate limit effective for all API endpoints
            Period = "10s",
            Limit = 2 // 2 requests per 10 seconds
        }
    ];
});

Later after your services are configured, you can build the app as:

var app = builder.Build();
app.UseIpRateLimiting(); // Enable rate limiting middleware
app.Run();

Step 3: Open your swagger and test the rate limiter:

You can open your swagger and test your rate limiter and you should be able to get error code 429 after exceeding your rate limit quota (I set it to 2 requests per 10 seconds).

Conclusion

Implementing rate limiting is a fundamental step towards building robust, secure, and fair ASP.NET Core applications. The AspNetCoreRateLimit package provides a flexible and easy-to-use solution for most common rate-limiting scenarios.

By effectively configuring rate limits, you can protect your application from abuse, ensure stability under high load, and provide a better experience for all your users.

Further Exploration:

Client-Specific Limits: Explore using ClientRateLimiting with the ClientIdHeader for scenarios where you need to identify clients by API keys or similar tokens.
User Role-Based Limits: For more granular control, you might need to implement custom logic, potentially by creating custom rate limit policies or integrating with ASP.NET Core's authorization system.
Distributed Counters: For applications deployed across multiple instances (scaled out), the default MemoryCache stores are insufficient as they are local to each instance. AspNetCoreRateLimit supports distributed stores like Redis or SQL Server. You'd use DistributedCacheIpPolicyStore and DistributedCacheRateLimitCounterStore along with a configured distributed cache (e.g., services.AddStackExchangeRedisCache(...)).
Customizing Throttling Behavior: Dive deeper into the library's options for more advanced configurations, such as whitelisting IPs, different blocking strategies, or custom retry messages.

Start implementing rate limiting in your projects today to enhance their resilience and security. If you struck or have questions feel free to ask them in the comments!

Let connect on LinkedIn and checkout my GitHub repos:

LinkedIn
GitHub

Top comments (6)

nausaf • Jun 16 • Edited

Shouldn't this feature be provided via an API Gateway such as on AWS or Azure's Azure API Management?

To integration-test locally, we can always use a Docker Container for emulator of the API gateway product.

So what's the use case for this middleware?

Aditya • Jun 16 • Edited

I do agree with what you said. I wrote this article keeping it mind for a monolithic service. For example I build media management web app or a url shortner web app, so we cannot afford everytime to use consul or other api gateway and put rate limiter there. For a small usecase I would personally prefer to put things in the app using middle ware and run it directly. I know dockerizing the app and putting rate limiter at the gateway of the container would also help but the aim was to put ratelimiter in small sized web apis. I hope you got why I used the middleware

nausaf • Jun 16

Nice one! so it's another tool in the toolbox that can come in handy.

nausaf • Jun 18 • Edited

BTW, I am deploying a small experimental API right now and have today chosen CloudFlare after some research.

The thing I was looking for was rate limiting to avoid being charge by Azure for Dos/DDos attacks. I did think about the middleware you mentioned in your article but since my API is public facing, Azure would still charge me for requests, even if the middleware rate-limits them. In fact, it would even charge for requests that Azure API Management would turn away due to rate limiting. So I was in the ridiculous position of having to pay for both an Azure API Management instance for rate limiting (mainly, although it does have other nice features) and an Azure DDos Protection instance.

CloudFlare does the job of both, with a generous free tier that Azure doesn't have for either product!

So I guess the use case for the ASP.NET Core rate limiting middleware would be in internal APIs/microservices where you can't or don't want to to, go through an API Gateway. Thanks for the article by the way!

Ethan Anderson • Jun 13

Great overview on rate limiting in ASP.NET Core! The step-by-step example with AspNetCoreRateLimit is very clear and helpful. Thanks for sharing the practical tips and code snippets.