Simon Willison’s Weblog

Subscribe

7 items tagged “ratelimiting”

2024

aiolimiter. I found myself wanting an asyncio rate limiter for Python today—so I could send POSTs to an API endpoint no more than once every 10 seconds. This library worked out really well—it has a very neat design and lets you set up rate limits for things like “no more than 50 items every 10 seconds”, implemented using the leaky bucket algorithm. # 20th February 2024, 1:15 am

2022

However, six digits is a very small space to search through when you are a computer. The biggest problem is going to be getting lucky, it’s quite literally a one-in-a-million shot. Turns out you can brute force a TOTP code in about 2 hours if you are careful and the remote service doesn’t have throttling or rate limiting of authentication attempts.

Push notification two-factor auth considered harmful # 17th September 2022, 2:45 pm

2018

Scaling a High-traffic Rate Limiting Stack With Redis Cluster. Brandur Leach describes the simple, elegant and performant design of Redis Cluster, and talks about how Stripe used it to scaled their rate-limiting from one to ten nodes. # 26th April 2018, 6:34 pm

2013

How could GitHub improve the password security of its users?

By doing exactly what they’re doing already: adding more sophisticated rate limiting, and preventing users from using common weak passwords.

[... 80 words]

5:50 pm / 20th November 2013 / github, passwords, ratelimiting, security, quora, open-source

2010

Does Twitter use a 3rd party software for rate limiting their APIs? If yes, who’s the 3rd party?

I wrote up a technique for doing simple rate limiting using memcached a while ago, which I later found out was somewhat similar to how the Twitter API does it.

[... 56 words]

2:27 pm / 21st November 2010 / apis, ratelimiting, twitter, quora

2009

Rate limiting with memcached

On Monday, several high profile “celebrity” Twitter accounts started spouting nonsense, the victims of stolen passwords. Wired has the full story—someone ran a dictionary attack against a Twitter staff member, discovered their password and used Twitter’s admin tools to reset the passwords on the accounts they wanted to steal.

[... 910 words]

10:27 pm / 7th January 2009 / counters, django, github, memcached, projects, python, ratelimitcache, ratelimiting, security, twitter

2008

Decorator to limit request rates to individual views. Neat piece of code for public facing web APIs written in Django. Update: some smart criticisms in the comments. # 24th September 2008, 1:13 pm

Related