Q: Design an API Rate Limiter (e.g. for Firebase or Github)
You are expected to develop a Rate Limiter services that can:
- Limit the number of requests an entity can send to an API within a time window e.g., 15 requests per second.
- The rate limiting should work for a distributed setup, as the APIs are accessible through a cluster of servers.
(A similar question was asked at Nsdq… )
Q2: how do your cluster of cache servers detect a given IP on the Internet is sending requests too frequently, causing Denial of Service? How do you protect yourself?
Q2b: After you blacklist a client IP, it goes quiet, then it sends a single request again. How you decide whether to ignore the request?
Q2c: what algorithm to decide if a client IP has legitimate need to send lots of requests vs another client IP engaging in Denial of Service attack?
Q2d: what if distributed DoS attack?
https://en.wikipedia.org/wiki/Denial-of-service_attack#Defense_techniques has practical solutions.