zae-limiter DynamoDB Throttling Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in zae-limiter, a rate limiting library that uses the token bucket algorithm. This issue affects versions through 0.10.0. The vulnerability arises because all rate limit buckets for a single entity share the same DynamoDB partition key. As a result, a high-traffic entity can exceed DynamoDB's per-partition throughput limits, causing throttling that degrades service for that entity and potentially for co-located entities in the same partition.

Impact

Exploiting this vulnerability can lead to increased latency and rejected requests for high-traffic entities, causing them to experience service degradation beyond their specified rate limits. Additionally, other entities sharing the same DynamoDB partition may suffer from collateral throttling.

Reproduction

To reproduce this vulnerability, create an entity with high rate limits, such as 100,000 requests per minute. Then, send sustained traffic of over 1,000 requests per second to that entity. Monitor the DynamoDB 'ThrottledRequests' CloudWatch metric for increases, and observe latency spikes and 'RateLimiterUnavailable' exceptions during the process.

Remediation

Users can upgrade to zae-limiter version 0.10.1, which addresses this vulnerability by implementing a pre-sharding design that distributes rate limit buckets across multiple DynamoDB partitions, thereby mitigating the risk of throttling.