Table of contents
Hi, I’m Glö , A full-stack developer and I share my experience in the development ecosystem.
A few months ago, I was hired on a contract to make a mobile app for a fin-tech company, During the onboarding process the owner slightly brushed about an incident where they were attacked by a hacker, it was pretty disastrous and the hacker did significant damage.
Since this was simply a slight interjection and it was not a gist, I simply nodded my head and didn’t give a response,
While integrating the app with the server ,I observed that the backend authentication system was pretty solid and looks strong. And truly, it should be after an incident like that.
But I had doubts about the server strength, Maybe it was due to Stockholm syndrome as I didn’t have any difficulty integrating with the server at all as compared to my other projects. About a week after I finished the app and finalised the deal I decided to test the server myself.
Since I already checked the authentication system and it was strong,The next check I did was the rate-limiting and ….. It failed.
What Actually Happened ?
The rate-limiting defect actually came from the time delay in MySQL when making a query, When you make a query in MySQL , say you want to check a user balance, The time frame for this operation ranges from about 0.3 seconds to even as far as 3 seconds depending on how optimised the database is.
This is enough time for thousand of requests , at least enough for about 100 requests to get through. In essence, the server receives the requests , check the user balance in the database, After checking that its enough to make that transaction, it makes the transaction then deducts the balance from the database.
The time between checking the balance and deducting the money is where the damage gets done, All hundreds of requests passes through because the balance isn’t deducted yet.
How to fix this?
const NodeCache = require('node-cache');
const myCache = new NodeCache();
const lockExists = myCache.get(`datatransactionLocks:${userid}`);
if (lockExists) {
return res.status(429).json({
"success": false,
"message": 'Too Many Requests',
"data": null
});
}
myCache.set(`datatransactionLocks:${userid}`, 'locked', 10);
The simple solution implemented above simply creates a cache prison that stores the unique id.
You check if the id already exist , if it does you send an error message and if it doesn’t you continue with the request.
Of course it is tedious to make it manually like i did so libraries like [express-rate-limit](https://www.npmjs.com/package/express-rate-limit) would suffice.
Other dangers include:
1. Denial of Service (DoS) Attacks: Without rate limiting, attackers can flood your server with a large number of requests, consuming all available server resources and causing your application to become unresponsive or crash.
2. Resource Exhaustion: Continuous high-volume traffic from bots or malicious users can exhaust server resources such as CPU, memory, and bandwidth, affecting the performance of your application for legitimate users.
3. Increased Operational Costs: Handling excessive traffic can lead to increased operational costs due to the need for additional server infrastructure to support the load.
4. Data Integrity Risks: Rapidly increasing traffic can cause data integrity issues, such as race conditions or inconsistencies in the database, leading to incorrect or corrupted data.
5. Negative User Experience: Without rate limiting, legitimate users may experience degraded performance or service interruptions due to resource contention with malicious or abusive traffic.
6. Brand Reputation Damage: Downtime or degraded performance caused by uncontrolled traffic can damage your brand reputation and erode trust among users, partners, and stakeholders.
7. Loss of Revenue: Service disruptions or data breaches resulting from uncontrolled traffic can lead to loss of revenue due to downtime, decreased user engagement, or loss of customer confidence.
Do you have hacks or experiences regarding rate-limiting ? Kindly share in the comments, i’d love to hear them!