Comment by ps2026

Comment by ps2026 6 hours ago

2 replies

View on Hacker News

Actually no, I'm rate limiting per individual IP address right now. Good catch... I should probably normalize IPv6 to /64. I was originally thinking about not blocking universities or large groups that share IPs, but I guess that is more of an IPv4 NAT concern. Thanks for pointing it out! I didn't really think about a user rotating through IPs. I didn't add the rate limiting on voting until I removed the fingerprint, so that is for sure a valid concern.

1e1a 6 hours ago

It could make sense to lightly rate limit at /48 in addition to /64 (this is generally the largest subnet size given out by ISPs), otherwise it will be easy for people to multiply your /64 rate limit by 65536.

Reply View 1 reply
  • ps2026 5 hours ago

    Hey thanks for the recommendation. That makes sense. Layered rate limiting at both /64 and /48 with different thresholds. Appreciate the explanation, and I'll be adding this to the list! This is my first time dealing with a public facing app where this type of rate limiting is needed.

    Reply View 0 replies