This repository has been archived by the owner on Feb 27, 2024. It is now read-only.
Rate Limit /64 subnets when remote address is IPv6 #22
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In https://docs.rs/actix-ratelimit/latest/src/actix_ratelimit/middleware.rs.html#62-76, the default identifier for a client is its ip address.
But IPv6 clients usually get at least a /64 assigned to them, so a single machine could easily exhaust memory for the rate-limit store and/or avoid being rate-limited by rotating through ip addresses within its /64.
See also: https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/
I suggest to extract the /64 subnet in the default identifier and thus rate-limit the complete subnet.
The text was updated successfully, but these errors were encountered: