At 2005-06-27 22:34, Brion Vibber wrote:
So, there isn't any way to identify the individual applications. But there is a way to identify the individuals who are using the application which is using the API. Why do you want to block the application? Just limit the use of the API to 1000 accesses an hour by IP-adress (replace with different numbers as you see more fit). That blocks any application, that is misbehaving.
Amazon's webservices have 'solved' the problem by allowing no more than one request per second from any IP address.
This however doesn't work properly, because the clients can't control whether they have a lot of visitors at once and then none for a length of time. Some (not very efficient) applications also request 10 results at once and then none for a while.
What I proposed was a simple mechanism: Give every IP-address a credit of say a 60 requests and decrement this with one for every request succesfully handled and increase the credit with one every second (up to the maximum of 60). As soon as the credit is zero the system either delays the response until there is credit again (so upto one second later) (prefered method) or it sends back an appropriate error message.
This system is easy to implement and it will give the clients a lot of freedom, but it will effectively limit the access by IP-addresses that send too many requests per unit of time.
Of course the values of the parameters are open to discussion.
Greetings, Jaap
-- My Amazon scripts: -- http://www.chipdir.nl/amazon/