By default, the user can request an ASP.NET Core web server unlimitedly. The user may request our web server very frequently and submit lots of spam data. Also, too frequent requests may be a terrible attack which may cost our service down and lots of money.

So how can we group the requests by their IP address, limit the frequency of the user requests, and return an error message?

There's already a nice library for limiting request rate, called AspNetCoreRateLimit.

GitHub: https://github.com/stefanprodan/AspNetCoreRateLimit

But that library is too heavy and can't manage filter by controllers and actions. I have to write a simpler one.

First, write an attribute:

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using System;
using System.Collections.Generic;
using System.Net;
using System.Text;

public class LimitPerMin : ActionFilterAttribute
{
    public static Dictionary<string, int> MemoryDictionary = new Dictionary<string, int>();
    public static DateTime LastClearTime = DateTime.UtcNow;

    private readonly int _limit;
    private static object _obj = new object();

    public LimitPerMin(int limit = 30)
    {
        _limit = limit;
    }

    public static void WriteMemory(string key, int value)
    {
        lock (_obj)
        {
            MemoryDictionary[key] = value;
        }
    }

    public static void ClearMemory()
    {
        lock (_obj)
        {
            MemoryDictionary.Clear();
        }
    }

    public static Dictionary<string, int> Copy()
    {
        lock (_obj)
        {
            return new Dictionary<string, int>(MemoryDictionary);
        }
    }

    public override void OnActionExecuting(ActionExecutingContext context)
    {
        base.OnActionExecuting(context);
        if (DateTime.UtcNow - LastClearTime > TimeSpan.FromMinutes(1))
        {
            ClearMemory();
            LastClearTime = DateTime.UtcNow;
        }
        var tempDictionary = Copy();
        var path = context.HttpContext.Request.Path.ToString().ToLower();
        var ip = context.HttpContext.Connection.RemoteIpAddress.ToString();
        if (tempDictionary.ContainsKey(ip + path))
        {
            WriteMemory(ip + path, tempDictionary[ip + path] + 1);
            if (tempDictionary[ip + path] > _limit)
            {
                context.HttpContext.Response.Headers.Add("retry-after", (60 - (int)(DateTime.UtcNow - LastClearTime).TotalSeconds).ToString());
                context.Result = new StatusCodeResult((int)HttpStatusCode.TooManyRequests);
            }
        }
        else
        {
            tempDictionary[ip + path] = 1;
            WriteMemory(ip + path, 1);
        }
        context.HttpContext.Response.Headers.Add("x-rate-limit-limit", "1m");
        context.HttpContext.Response.Headers.Add("x-rate-limit-remaining", (_limit - tempDictionary[ip + path]).ToString());
    }
}

This attribute will save all ip request frequency in a dictionary. And return (int)HttpStatusCode.TooManyRequests if one ip match our limit.

To use this attribute, simply add it to your controller or your action like this:

namespace Aiursoft.Account.Controllers
{
    [LimitPerMin]
    public class AccountController : Controller
    {
    }
}


namespace Aiursoft.Account.Controllers
{
    public class AccountController : Controller
    {
        [LimitPerMin]
        public IActionResult Index()
        {

        }
    }
}

When the user is trying to request our server within our limit, the server will successfully response with headers:

  1. x-rate-limit-limit: 1m
  2. x-rate-limit-remaining: 30

The default limit is 30 requests per minute. The user can't send more requests in a minute and will be rejected.

If you want to override the default limit, use it like this:

[LimitPerMin(20)]