ASP.NET Core 7 - Introduction of Rate Limiting middleware


In the last article, we discussed about Dos and DDoS attacks. Microsoft has newly introduced inbuilt middleware called Rate limiting middleware to prevent such attacks in .Net core 7.

In the previous version, we were using the Nuget package "AspNetCoreRateLimit" to implement Rate Limiting functionality.

Now, I am going to explain Rate limiting middleware in detail in this article, and in the upcoming article, we will implement it.

We are going to cover,

  1. What is Rate Limiting?
  2. Benefits of Rate Limiting Middleware.
  3. Types of Rates Limiting Middleware
    • Concurrency limit
    • Fixed Window limit
    • Sliding window limit
    • Token bucket limit


  1. Visual Studio 2022 + .Net core 7.0
  2. Basic understanding of DoS and DDoS attacks. If you are not aware of these attacks, I recommend reading this article first and then coming back.

Let’s start with what is Rate limiting.

What is Rate Limiting?

Each server has its own configuration like CPU, RAM, Hard drive, etc., and that determines server capacities to handle requests per the given time(second\minute).

Let’s assume that you have a server that can handle 1000 requests per second, but what happens if one makes a DDoS/DoS attack and makes 100,000 requests per second?

Your server will not be able to handle these requests and become unavailable or will crash, right? In such a situation, Rate limiting will help us to limit the request per second.

Rate limit can help us to limit maximum number of requests per second (network traffic) to prevent the server from getting overwhelmed by too many requests.

Let’s see the below image,

What is Rate Limiting?

Let’s now discuss what attacks can be prevented using Rate Limiting Middleware.

Benefits of the Rate Limiting Middleware

We can prevent our applications from many attacks using Rate Limiting Middleware.

Below are a few important attacks that can be prevented,

  1. DoS attack - please see this article to understand.
  2. DDoS attack - Please see this article to get a better understanding.
  3. Brute force attack - it is a trial-and-error method used to decode sensitive data
  4. Data scraping attacks - This is the process of using an application to extract valuable information from a website.
  5. Enumeration attacks - It is a technique to attempt to iterate to get secure data.

We can get the below benefits after preventing the above listed attacks,

  1. It will increase the security of the application.
  2. It will provide stability and reliability to your application.
  3. Performance will increase as we have limited the number of requests.
  4. It will increase the availability of your application as we can block malicious users.

Types of Rate Limiters

“RateLimiterOptionsExtensions” class provides extension methods to offer the below Rate Limiters. This class belongs to the “Microsoft.AspNetCore.RateLimiting” namespace.

The number of requests to be allowed in a given time is fixed. Microsoft has divided all these types on time and requests,

  1. Concurrency
  2. Fixed Window
  3. Sliding Window
  4. Token Bucket Limit

Concurrency Limit

The concurrency limiter limits how many concurrent requests can access the resources of the server.

Let’s see the below example,

Suppose your Concurrency limiter limit is 100. Then 100 concurrent requests can be processed, and allow request would be 0. If you got request 101, it will not be allowed to process.

If 1st request will be completed, then allow requests will be 1. If 2nd request is completed, then allow request would be 2, and so on.

Fixed window Limit

It is a Fixed window; I mean number of requests and time is fixed.

Let’s discuss this more precisely,

Suppose “120 requests per minute”, Fix the window limiter applied. In this case

  1. only 120 requests can be processed in a minute.
  2. There can be 120 concurrent requests or 2 requests per second

Any combination of requests can be done in a given time.

Sliding window Limit

Sliding window limit is like Fix window limiter but uses segments for more fine-grained limits.

E.g., the sliding window limit is 120 requests per minute but with 2 requests per second.

Token bucket limit

Token bucket limit controls flow rate and allows for break out.

The token bucket algorithm ensures that a fixed number of tokens are added to the bucket after each replenishment period. Each request consumes a token from the bucket, and if the bucket is empty, the request is rejected.

Suppose we have given 120 requests per minute. If you make all requests in 20 seconds, then you need to wait for 40 seconds, which means it takes complete 1 minute to make more requests.


We have discussed Rate Limiting middleware and all its types available in the .Net Core 7 in this article. I will implement the same concept in the upcoming article in detail.

Hope you enjoyed this article and find it useful.