Changes to restful-booker.herokuapp.com

Hi all,

I’ve been made aware that https://restful-booker.herokuapp.com has been getting slower in returning responses and I had a look into what was going on. Turns out there are bots that are constantly spamming the API and even though it resets every 10 minutes 10,000+ bookings are being stored in the API.

So what to do?

I’ve added a rate limiter to the API meaning that if you send too many requests in a 10 minute window your subsequent requests will be throttled. At the moment the limit is set to 200 requests in 10 minutes

I’m raising this because I want to make sure that I have a sensible limit that slows the bots down but doesn’t impact realy users. So if you have any issues, please let me know and I’ll look into tweaking the limit so it fits better for everyone.

9 Likes

So it appears that adding the throttler didn’t work for specific APIs and closed everyones requests down. I’ve rolled this back and will consider options.

It may be that I have to add some level of auth to the POST /booking endpoint to deal with bots.

Mark if I remember correctly there was a token based auth on the POST Requests, or am I wrong?
Anyway will follow this post since I plan to use the API for the MOT Workshop .

Can you block the IP address ranges for those bots? Or is it not really worth the effort?

Perhaps. The API itself isn’t super sophisticated so I’d have to look at Heroku to see if it can tell me anything and block from there. Will get some Dev help to look at it for sure.

1 Like

It’s probably somebody who uses it as a performance testing training platform and has it setup in a CI/CD to validate it still works :smiley:

On the other hand, it might be someone who’s trying to do you some evil things! :open_mouth:

Banning or blocking the IP might not be a solution tbh. But a rate limiter returning 429 for them.