Hacker News new | ask | show | jobs
by ivanjermakov 316 days ago
> Nice idea, interesting project, next time please contact me before.

I understand that my popular service might bring your less popular one to the halt, but please configure it on your end so I know _programmatically_ what its capabilities are.

I host no API without rate-limiting. Additionally, clearly listing usage limits might be a good idea.
2 comments
Aurornis 316 days ago
> I understand that my popular service might bring your less popular one to the halt, but please configure it on your end so I know _programmatically_ what its capabilities are.

Quite entitled expectations for someone using a free and open service to underpin their project.

The requests were coming from distributed clients, not a central API gateway that could respond to rate limiting requests

> I host no API without rate-limiting. Additionally, clearly listing usage limits might be a good idea.

Again, this wasn’t a central, well-behaved client hitting the API from a couple of IPs or with a known API key.

They calculate that per every 1 user of the wlive.place website, they were getting 1500 requests. This implies a lot of botting and scripting.

This is basically load testing the web site at DDoS scale.

link
zamadatix 315 days ago
> The requests were coming from distributed clients, not a central API gateway that could respond to rate limiting requests

The block was done based on URL origin rather than client/token, why wouldn't a rate limiter solution consider the same? For this case (a site which uses the API) it would work perfectly fine. Especially since the bots don't even care about the information from this API so non-site based bots aren't even going to bother to pull the OpenFreeMap tiles.

link
ivanjermakov 316 days ago
Ugh, then I agree. This way it's indistinguishable from DDoS attack.
link
Aeolun 316 days ago
I think it’s reasonable to assume that a free service is not going to deal gracefully with your 100k rps hug of death. The fact that it actually did is an exception, not the rule.

If you are hitting anything free with more than 10rps (temporarily) you are an taking advantage in my opinion.

link