hits_addend causes counter pollution across multiple descriptors in a single RateLimitRequest

[austinmacrbx]

When Envoy sends a RateLimitRequest containing multiple descriptors, the Rate Limit Service applies the hits_addend to every descriptor in the list. If a request matches both a granular policy (granular_user_limit) and a broad policy (broad_site_limit), and the granular policy is already OVER_LIMIT, the broad policy's counter is still incremented.

This results in counter pollution, where unauthorized/blocked traffic consumes the quota of the broad policy, potentially leading to a Denial of Service for legitimate users who share the broad quota but have not hit their own granular limits.

{
  "domain": "api_service",
  "descriptors": [
    {
      "entries": [
        { "key": "policy", "value": "broad_site_limit" }
      ]
    },
    {
      "entries": [
        { "key": "policy", "value": "granular_user_limit" },
        { "key": "user_id", "value": "user_99" }
      ]
    }
  ],
  "hits_addend": 1
}

[qiumuyang]

Setting this env STOP_CACHE_KEY_INCREMENT_WHEN_OVERLIMIT to true may help.

ratelimit/README.md

Line 1263 in 3fb7025

1. `STOP_CACHE_KEY_INCREMENT_WHEN_OVERLIMIT`: Set this configuration to `true` to disallow key incrementation when one of the keys is already over the limit.

[austinmacrbx]

Thanks! Is there a similar setting we can apply more granularly? Like in the rate limit config? Setting the global env var will apply a blanket policy and affect all of our customers.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.