I need to rate limit an API server. Is it possible to configure a machine to rate limit requests per MAC address? If not, are there any other viable options?
I want to rate limit per MAC, because multiple users could share one IP.
Asked
Active
Viewed 2,078 times
1
-
You want to rate limit per MAC, so all the users are on one single LAN, aren't they? – Jan 22 '13 at 00:18
-
I don't know what you mean. – Jan 22 '13 at 00:24
-
2MAC addresses are administratively assignable these days. Maybe 20 years ago NICs couldn't do this, but faking a different MAC is trivial these days. – Chris S Jan 22 '13 at 01:25
-
Rate-limiting by MAC is a bad idea, on your LAN everyone on the Internet shares a MAC address -- the MAC address of your router. – David Schwartz Jan 22 '13 at 09:40
2 Answers
3
MAC addresses are purely an OSI Layer 2 phenomena. Once a packet passes through a router, MAC address information from the source machine is no longer available.
So as the above person commented, if you're only offering this service to internal users, and those users as well as the service itself are all on the same Layer 2 network, then this might be possible. That seems highly unlikely, though. Conversely, if your users are scattered around the internet, then you'll need to use some other rate limiting scheme (IP, API key, etc.).
EEAA
- 109,363
- 18
- 175
- 245
1
You need to redesign your application.
You can't rate limit by MAC address because you have absolutely no way to obtain the user's MAC address, since you are not on the user's local network.
The way everyone else does this is to issue unique API keys to each individual user, and then to rate limit usage by API key.
Michael Hampton
- 244,070
- 43
- 506
- 972
-
The problem is, the web app is a client of the API itself. So if I would issue API keys, someone could just abuse the key of the web (JS) client. – Jan 22 '13 at 01:22
-