RAM utilization when using default in-memory storage for express-rate-limit

[aoyshi]

I have a Node app running on an m5.large EC2 instance with 8 GB of RAM.

I am using express-rate-limit to limit the number of requests per unique user of the API, and I am opting to use just the default in-memory store out-of-the-box. As I understand, that would be using the EC2 server's RAM to store the user/timestamp data for each request.

This is what my rate-limiter code looks like:

const erl= require('express-rate-limit');
const limiter = erl({
    windowMs: 60000,
    max: 30,
    skipFailedRequests: true,
    standardHeaders: true,
    legacyHeaders: false,
});

I am worried about the possibility of a scenario where we have a lot of different users accessing the service, which could cause the cache to fill up and use too much of the RAM on the server and cause performance issues. Our API does not have a lot of traffic (which is why we are going with the default in-memory store over Redis for our first release), but I still want to consider the chance of a perf hit from using the server RAM.

My question is:

• Is there a way to set some sort of size limit on the cache that express-rate-limit uses in this default, in-memory situation?
• Could you help me with risk assessment? For example, at how many requests/min/unique user would the default in-memory store option be a problem for an 8GB RAM? If the number is so high that it's wayyy out of the ballpark for our API usage, then I can safely not worry about this scenario in the first place.

[nfriedly]

The default memory store now stores only an IP address a a number of hits since the current window started, so your memory usage goes up with the number of unique IPs, but not the total amount of traffic. 10000 hits from a given IP takes up the same amount of memory as a single hit from that IP.

The hits number is always a 64-bit float, and an IPv4 address is 7-15 characters at 16 bits each, plus there will be a little memory taken up for the mapping of IP => hits. So, call it ~320 bits or 40 bytes per unique IP. If your window size is 1 hour, and you get hits from a million unique IPs per hour, then the memory store will use around 40 megabytes of RAM. (And then it will be reset to ~0 at the end of the hour.)

Browser optimizations may affect this also, e.g. they may store the hits number as a 32-bit integer, reducing RAM usage.

I really can't envision any scenario where the memory store becomes a problem because of RAM usage.

[aoyshi]

Thank you so so much for this extremely detailed reply. This is exactly what I needed. Awesome!