16

I was studying the Github API and came across the following in their Rate Limiting section

For unauthenticated requests, the rate limit allows for up to 60 requests per hour. Unauthenticated requests are associated with the originating IP address, and not the user making requests.

I was curious to see what HTTP headers are used to track the limits and what happens when they are exceeded, so I wrote a bit of Bash to quickly exceed the 60 requests/hour limit:

for i in `seq 1 200`;
do   
  curl https://api.github.com/users/diegomacario/repos
done

Pretty quickly I got the following response:

{
  "message": "API rate limit exceeded for 104.222.122.245. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)",
  "documentation_url": "https://developer.github.com/v3/#rate-limiting"
}

It seems like Github is counting the number of requests from the public IP mentioned in the response to determine when to throttle a client. From what I understand about LANs, there are many devices that share this public IP. Is every device in the LAN behind this IP rate limited because I exceeded the limit?. On a side note, what other ways exist of rate-limiting non-authenticated endpoints?

macalaca
  • 988
  • 1
  • 13
  • 31
  • 1
    @Nkosi Hey my question was marked as too broad. Could you explain why that is the case? I'm asking a pretty specific question about how rate limiting is typically implemented. – macalaca Jun 27 '18 at 20:29
  • 3
    @Machavity This question keeps getting upvotes even after it was closed. Maybe reconsider opening it? – macalaca Aug 24 '18 at 17:26
  • it does seem that if you get rate limited by ip all the devices that share that external ip are also locked out. You can experiment by having more than one device run your code above. They will both have different internal ips, but the external one for everything on that router will be locked. – reticentroot Sep 25 '18 at 21:12

0 Answers0