How can implement rate limiting based on client IP in a .NET Core API

Here's a general approach to implementing rate limiting based on client IP in a .NET Core API:

Steps to Implement Rate Limiting Based on Client IP:

Create a Rate Limiting Middleware: You'll need to create middleware that can track the requests per IP. This middleware will check the request frequency for each client and decide whether the client can proceed or not.
Use a Store for Tracking Requests: You can store the request data in-memory, in a distributed cache like Redis, or even in a database, depending on the scale of your application.
Implement Logic for Limiting: The logic will check how many requests an IP has made in the last time window (e.g., the last minute or hour). If the limit is exceeded, the client should be blocked from making further requests.

Here's an example of how to implement this:

Step 1: Create a RateLimitingMiddleware

csharp
using Microsoft.AspNetCore.Http;
using System;
using System.Collections.Concurrent;
using System.Linq;
using System.Threading.Tasks;

public class RateLimitingMiddleware
{
    private static readonly ConcurrentDictionary<string, RequestInfo> Requests = new();
    private readonly RequestDelegate _next;
    private readonly int _requestLimit;
    private readonly TimeSpan _timeWindow;

    public RateLimitingMiddleware(RequestDelegate next, int requestLimit = 100, int timeWindowInSeconds = 60)
    {
        _next = next;
        _requestLimit = requestLimit;
        _timeWindow = TimeSpan.FromSeconds(timeWindowInSeconds);
    }

    public async Task InvokeAsync(HttpContext context)
    {
        var ipAddress = context.Connection.RemoteIpAddress?.ToString();
        if (ipAddress == null)
        {
            await _next(context);
            return;
        }

        var requestInfo = Requests.GetOrAdd(ipAddress, new RequestInfo());

        // Clean up expired requests
        requestInfo.Requests.RemoveAll(r => r < DateTime.UtcNow - _timeWindow);

        // If the limit is exceeded, return a 429 status code
        if (requestInfo.Requests.Count >= _requestLimit)
        {
            context.Response.StatusCode = StatusCodes.Status429TooManyRequests;
            context.Response.ContentType = "application/json";
            await context.Response.WriteAsync("{\"message\":\"Rate limit exceeded\"}");
            return;
        }

        // Record the current request time
        requestInfo.Requests.Add(DateTime.UtcNow);

        // Proceed to the next middleware
        await _next(context);
    }

    private class RequestInfo
    {
        public List<DateTime> Requests { get; } = new List<DateTime>();
    }
}

Step 2: Register Middleware in `Startup.cs`

In the Configure method of Startup.cs, add the rate-limiting middleware to the request pipeline:

csharp
public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        // Add the rate limiting middleware before other middlewares
        app.UseMiddleware<RateLimitingMiddleware>();

        app.UseRouting();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

Step 3: Testing

You can now test your API, and any client that exceeds the request limit will get a 429 Too Many Requests response.

Optional Enhancements:

Distributed Cache (e.g., Redis): For a scalable solution, especially in distributed environments, you can replace the in-memory ConcurrentDictionary with a distributed cache like Redis, which allows rate limits to persist across multiple instances.
Customizable Limits: You can make the request limit and time window configurable via appsettings.json or environment variables.
IP Banning: After a certain threshold of limit violations, you could implement IP banning or temporary suspension.
Logging and Monitoring: It’s a good practice to log the rate limiting activities for monitoring and diagnostics.

Example of Redis Implementation

If you're using Redis for tracking the rate limits:

Install the StackExchange.Redis NuGet package.
Modify your middleware to interact with Redis to store request counts per IP.

csharp 
using StackExchange.Redis;
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Extensions.Options;

Then use IDistributedCache (for Redis or in-memory) to store the request counts in Redis and manage expiration times effectively.

By implementing rate limiting based on the client IP, you can effectively protect your API from abuse or excessive load.

People Who Code | Blog