Reputation: 640
How to avoid Contentful rate-limit exhaustion DoS
We are building a public web app and have created custom API's that call out to Contentful to get various content entries like news articles.
Some of our API's take the entry ID - ex 1m21P91ZPgQyJpT6Ck7oku - as a parameter (typically as part of the path or on the query string).
The problem with this is that Contentful has a rate-limit. If a query to Contentful is not cached on their CDN, it will be forwarded to the origin, and count towards the rate-limit quota. When the rate-limit is exhausted, Contentful will return 429 codes.
Since our API's take the entry ID at face value and use it to query Contentful for that entry, this means that an attacker can quite easily put us in a perpertual state of rate-limit exhaustion by generating random API requests where the entry ID parameter is changed randomly, thus bypassing the CDN cache.
What can we do from the API-side to avoid this DoS attack?
If the only answer is to rewrite our API's to not rely of client-provided paramters for Contentul query generation, are there some patterns we could follow?
P.S. We have reached out to Contentful on raising the threshold of the rate-limit, but have apparently reached an upper bound of 100 rps, of which they are unwilling to increase it further.
Upvotes: 3
Views: 1007
Answers (0)
Related Questions
- How to deal with api that rate limits requests?
- How to update Contentful reference efficiently
- Limit Nginx max concurrent connections
- Importing large amount of data from API into Contentful?
- node.js axios & http , any way to bypass rate limit somehow?
- Backoff Strategy after hitting rate limits
- API Rate Limits for IBM Cloudant
- Can we limit or customize response data from contentful to reduce network traffic
- How to set contentful.js api call rateLimit
- can you set an exception for nginx's requests per second limit?