How to Stop DDoS Attacks in Go with Rate Limiting-Golang-php.cn

Home

Backend Development

Golang

How to Stop DDoS Attacks in Go with Rate Limiting

DDD

Nov 30, 2024 am 01:22 AM

How to Stop DDoS Attacks in Go with Rate Limiting

Rate limiting is one of the most effective techniques to mitigate DDoS attacks. Among its variations, per-IP rate limiting stands out for its targeted approach: it enforces request limits individually for each client, based on their IP address. This prevents any single user from overwhelming the server while maintaining a fair level of access for legitimate users.

In this article, we’ll cover how per-IP rate limiting works, why it is one of the best strategies to stop DDoS attacks, and how to implement it in Go using the rate package.

Why Rate Limiting

Rate limiting is widely used because it balances security and usability. Here’s why it’s a preferred approach:

Efficient Resource Management: By limiting the number of requests from each client, servers can avoid being overwhelmed, even during an attack.
Fairness: Legitimate users can continue to access the server while malicious clients are throttled.
Customizable: Rate limits can be adjusted based on use cases, such as different limits for public APIs versus private services.
Scalability: Rate limiting mechanisms scale well with modern infrastructure, especially when combined with load balancers or reverse proxies.

How it Compares to Other Techniques

Firewall Rules: Block traffic at the network level based on predefined rules. While effective for large-scale filtering, it’s less flexible and can block legitimate users during false positives.
Content Delivery Networks (CDNs): Distribute traffic across multiple servers. While great for reducing the impact of DDoS, CDNs don’t address abusive traffic at the application level.
Proof of Work (PoW): Requires clients to solve computational puzzles before accessing the server. Effective but adds latency for legitimate users and can be resource-intensive for clients.
Rate Limiting: Offers fine-grained control, scales well, and doesn’t add significant overhead. It’s often the best choice for protecting application-level endpoints.

Implementation

In per-IP rate limiting, a separate limiter is maintained for each client IP. Here’s how to implement it using the golang.org/x/time/rate package.

Step 1: Install the Required Package

The rate package is part of Go’s extended modules. Install it with:

bash

go get golang.org/x/time/rate

Step 2: Code the Per-IP Rate Limiter

package main

import (

`"fmt"`

`"net/http"`

`"sync"`

`"time"`

`"golang.org/x/time/rate"`

)

var (

`mu       sync.Mutex`

`visitors = make(map[string]*rate.Limiter)`

)

// getVisitor retrieves the rate limiter for a given IP, creating one if it doesn't exist.

func getVisitor(ip string) *rate.Limiter {

`mu.Lock()`

`defer mu.Unlock()`

`limiter, exists := visitors[ip]`

`if !exists {`

    `limiter = rate.NewLimiter(1, 5) // 1 request/second, burst of 5`

    `visitors[ip] = limiter`

    `// Clean up limiter after 1 minute of inactivity`

    `go func() {`

        `time.Sleep(1 * time.Minute)`

        `mu.Lock()`

        `delete(visitors, ip)`

        `mu.Unlock()`

    `}()`

`}`

`return limiter`

}

// rateLimitedHandler applies the per-IP rate limit

func rateLimitedHandler(w http.ResponseWriter, r *http.Request) {

`ip := r.RemoteAddr`

`limiter := getVisitor(ip)`

`if !limiter.Allow() {`

    `http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)`

    `return`

`}`

`fmt.Fprintln(w, "Request successful.")`

}

func main() {

`http.HandleFunc("/", rateLimitedHandler)`

`fmt.Println("Starting server on :8080")`

`http.ListenAndServe(":8080", nil)`

}

Explanation

Visitors Map: Maintains a rate.Limiter for each IP address. The visitors map holds these limiters, keyed by IP addresses (r.RemoteAddr). When a request comes in, the getVisitor function checks if a limiter already exists for the IP.
Limiter Creation: Each limiter allows 1 request per second with a burst of 5. A a new limiter is created with specific rules (1 request per second with a burst capacity of 5) if one doesn’t exist. The limiter allows some initial burst of requests but enforces a steady rate thereafter.
Automatic Cleanup: A goroutine cleans up idle limiters after 1 minute to save memory.To prevent memory growth, the code includes a cleanup mechanism. A goroutine is started whenever a new limiter is created, and it waits for 1 minute of inactivity before removing the corresponding entry from the visitors map. This ensures that limiters are only kept for active clients.
Rate Limiting Logic: The handler checks if the limiter allows the request. If the request exceeds the defined limit, it responds with a 429 Too Many Requests error; otherwise, it processes the request.

Per-IP rate limiting in Go is an excellent way to mitigate DDoS attacks at the application level. It provides precise control over traffic, ensuring that legitimate users can access your service while malicious users are effectively throttled.

This approach efficiently throttles abusive IPs without impacting legitimate users, offering a scalable and memory-efficient solution for mitigating DDoS attacks.

The above is the detailed content of How to Stop DDoS Attacks in Go with Rate Limiting. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

String Manipulation in Go: Mastering the 'strings' PackageMay 14, 2025 am 12:19 AM

Mastering the strings package in Go language can improve text processing capabilities and development efficiency. 1) Use the Contains function to check substrings, 2) Use the Index function to find the substring position, 3) Join function efficiently splice string slices, 4) Replace function to replace substrings. Be careful to avoid common errors, such as not checking for empty strings and large string operation performance issues.

Go 'strings' package tips and tricksMay 14, 2025 am 12:18 AM

You should care about the strings package in Go because it simplifies string manipulation and makes the code clearer and more efficient. 1) Use strings.Join to efficiently splice strings; 2) Use strings.Fields to divide strings by blank characters; 3) Find substring positions through strings.Index and strings.LastIndex; 4) Use strings.ReplaceAll to replace strings; 5) Use strings.Builder to efficiently splice strings; 6) Always verify input to avoid unexpected results.

'strings' Package in Go: Your Go-To for String OperationsMay 14, 2025 am 12:17 AM

ThestringspackageinGoisessentialforefficientstringmanipulation.1)Itofferssimpleyetpowerfulfunctionsfortaskslikecheckingsubstringsandjoiningstrings.2)IthandlesUnicodewell,withfunctionslikestrings.Fieldsforwhitespace-separatedvalues.3)Forperformance,st

Go bytes package vs strings package: Which should I use?May 14, 2025 am 12:12 AM

WhendecidingbetweenGo'sbytespackageandstringspackage,usebytes.Bufferforbinarydataandstrings.Builderforstringoperations.1)Usebytes.Bufferforworkingwithbyteslices,binarydata,appendingdifferentdatatypes,andwritingtoio.Writer.2)Usestrings.Builderforstrin

How to use the 'strings' package to manipulate strings in Go step by stepMay 13, 2025 am 12:12 AM

Go's strings package provides a variety of string manipulation functions. 1) Use strings.Contains to check substrings. 2) Use strings.Split to split the string into substring slices. 3) Merge strings through strings.Join. 4) Use strings.TrimSpace or strings.Trim to remove blanks or specified characters at the beginning and end of a string. 5) Replace all specified substrings with strings.ReplaceAll. 6) Use strings.HasPrefix or strings.HasSuffix to check the prefix or suffix of the string.

Go strings package: how to improve my code?May 13, 2025 am 12:10 AM

Using the Go language strings package can improve code quality. 1) Use strings.Join() to elegantly connect string arrays to avoid performance overhead. 2) Combine strings.Split() and strings.Contains() to process text and pay attention to case sensitivity issues. 3) Avoid abuse of strings.Replace() and consider using regular expressions for a large number of substitutions. 4) Use strings.Builder to improve the performance of frequently splicing strings.

What are the most useful functions in the GO bytes package?May 13, 2025 am 12:09 AM

Go's bytes package provides a variety of practical functions to handle byte slicing. 1.bytes.Contains is used to check whether the byte slice contains a specific sequence. 2.bytes.Split is used to split byte slices into smallerpieces. 3.bytes.Join is used to concatenate multiple byte slices into one. 4.bytes.TrimSpace is used to remove the front and back blanks of byte slices. 5.bytes.Equal is used to compare whether two byte slices are equal. 6.bytes.Index is used to find the starting index of sub-slices in largerslices.

Mastering Binary Data Handling with Go's 'encoding/binary' Package: A Comprehensive GuideMay 13, 2025 am 12:07 AM

Theencoding/binarypackageinGoisessentialbecauseitprovidesastandardizedwaytoreadandwritebinarydata,ensuringcross-platformcompatibilityandhandlingdifferentendianness.ItoffersfunctionslikeRead,Write,ReadUvarint,andWriteUvarintforprecisecontroloverbinary

See all articles