Rate Limiting
Rate limiting is an important mechanism for controlling resource utilization and managing quality of service. Gate includes built-in rate limiters to protect your network from abuse and attacks.Overview
Gate provides IP-based rate limiting to prevent aggressive connection attempts and API flooding. The rate limiters operate at the network edge, disconnecting excessive connections before they consume server resources.Rate limiting configuration is found under the
quota section of your config.yml.Rate Limiter Types
Gate includes two types of rate limiters:Connection Limiter
Triggered upfront on any new connection attempt, before any authentication or data processing. Purpose: Prevents connection flooding and protects server resourcesLogin Limiter
Triggered just before authenticating a player with Mojang’s authentication servers. Purpose: Prevents flooding the Mojang API and protects against authentication abuseHow It Works
Each rate limiter is IP block based, cutting off the last numbers (/24 block) as in255.255.255.xxx.
Too many connections from the same IP block (as configured) will be simply disconnected.
Configuration
Basic Configuration
Rate limiting is configured under thequota section in config.yml:
Connection Limiter Settings
| Setting | Description | Default | Recommended |
|---|---|---|---|
enabled | Enable connection rate limiting | true | true |
ops | Operations per second allowed per IP block | 5 | 3-10 |
burst | Maximum burst operations | 10 | 5-15 |
maxEntries | Maximum IP blocks to track in cache | 1000 | 1000-5000 |
Login Limiter Settings
| Setting | Description | Default | Recommended |
|---|---|---|---|
enabled | Enable login rate limiting | true | true |
ops | Operations per second allowed per IP block | 0.4 | 0.4-1.0 |
burst | Maximum burst operations | 3 | 2-5 |
maxEntries | Maximum IP blocks to track in cache | 1000 | 1000-5000 |
Understanding Parameters
Operations Per Second (ops)
The sustained rate of operations allowed from an IP block:- Connection limiter:
ops: 5means 5 connections per second - Login limiter:
ops: 0.4means 1 login every 2.5 seconds (0.4 = 1/2.5)
Burst
The maximum number of operations that can happen in a short time window:- Allows temporary spikes in legitimate traffic
- One burst unit is refilled per second
- Example:
burst: 10allows up to 10 rapid connections, then enforcesopsrate
Max Entries
The maximum number of unique IP blocks to track:- When full, oldest entries are evicted
- Higher values = more memory usage but better tracking
- Should be sized based on expected unique IPs
Example Configurations
Small Server (< 50 players)
Medium Server (50-200 players)
Large Server (200+ players)
Development/Testing
Rate Limiting Behavior
Token Bucket Algorithm
Gate uses a token bucket algorithm for rate limiting:- Each IP block has a bucket with
bursttokens - Each operation consumes 1 token
- Tokens refill at
opsrate per second - If bucket is empty, connection is rejected
What Gets Rate Limited
Connection Limiter applies to:- Initial TCP connections
- Handshake attempts
- Status ping requests
- Any new connection attempt
- Mojang authentication requests
- Premium account validation
- Online mode login attempts
Tuning for Your Network
Symptoms of Too Strict Limits
- Legitimate players getting disconnected
- “Connection throttled” messages in logs
- Players unable to join during peak times
ops and burst values
Symptoms of Too Lenient Limits
- Successful bot attacks
- Server resource exhaustion
- Lag spikes during connection floods
ops and burst values
Monitoring
Check your Gate logs for rate limiting events:DDoS Protection
For comprehensive DDoS protection:- Use rate limiting - Protects against single-IP abuse
- Implement network-level filtering - Firewall rules, DDoS mitigation services
- Use proxy services - Cloudflare, TCPShield, or similar
- Configure connection limits - At OS level (ulimit, iptables)
See the DDoS Protection guide for comprehensive server protection strategies.
Best Practices
Start Conservative
Begin with default settings and adjust based on actual traffic patterns
Monitor Logs
Regularly check logs for rate limiting events to tune settings
Test Changes
Test rate limit changes in development before deploying to production
Consider Network Size
Scale
maxEntries based on expected unique IP addressesRecommended Practices
- Enable both limiters - Connection and login protection work together
- Set realistic bursts - Allow for legitimate connection spikes
- Monitor and adjust - Fine-tune based on real-world traffic
- Document changes - Keep notes on why you adjusted limits
- Layer defenses - Combine rate limiting with other security measures
Troubleshooting
Legitimate Players Being Rate Limited
Cause: Settings too strict for your player base Solution:Bots Still Getting Through
Cause: Settings too lenient Solution:Players from Large Networks Blocked
Cause: Many players sharing same /24 IP block (schools, offices) Solution:Mojang Authentication Failures
Cause: Login limiter too strict Solution:Advanced Configuration
Disable Rate Limiting
For development or trusted environments:Very Strict Protection
For servers under heavy attack:Performance Impact
Rate limiting has minimal performance overhead:- Memory: ~100 bytes per tracked IP block
- CPU: Negligible (simple token bucket operations)
- Latency: < 1ms additional per connection
- 1,000 entries ≈ 100 KB
- 5,000 entries ≈ 500 KB
- 10,000 entries ≈ 1 MB
Summary
Rate limiting is a critical security feature that:- Protects against connection floods
- Prevents Mojang API abuse
- Maintains server performance
- Blocks single-source attacks