BloodHound icon indicating copy to clipboard operation
BloodHound copied to clipboard
verified publisher icon SpecterOps

Feature: Make rate limit runtime-configurable

Open 0xd6cb6d73 opened this issue 9 months ago • 1 comments

Feature Description

Add a configuration to control the middleware's default rate limiter.

Are you intending to implement this feature?

No

Current Behavior

BHCE currently uses a single rate limiter value to protect all paths not related to authentication. This rate limiter is set at 55 requests per second in the code. The only way to change it is to recompile the application.

Desired Behavior

A runtime configuration item, preferably in the administrative UI, would allow the administrator of the BHCE instance to modify the value of the middleware's default rate limiter.

Use Case

Running automation through the REST API on large instances can take a very long time. The current rate limiter value was found to have a strong negative effect and leave a lot of hardware unused.

Implementation Suggestions

I have identified the following item which would need to be plumbed into a configuration item.

At cmd/api/src/api/middleware/rate_limit.go#L36:

const DefaultRateLimit = 55

0xd6cb6d73 avatar May 06 '25 11:05 0xd6cb6d73

I want to support this feature request, as I run into the very same issue and found it while searching for the option to configure the rate limit...

Daniel-CS-Team avatar Jun 02 '25 06:06 Daniel-CS-Team

What is the specific use case you're trying to service here? We're trying to get some more details here. This is not something that can change dynamically while the application is live due to the way our middlewares are structured, however if there is a valid use case here, we can make it configurable via config/environment variables.

rvazarkar avatar Dec 16 '25 19:12 rvazarkar

IIRC we wanted to get the number of controllables for each user and computer-node for some statistics. As we have quite a few of these, the rate limit is slowing down this use cases severely. And you cannot get this info easily directly from neo4j.

But we plan to use Bloodhound for more enrichments in the future, where we could easily reach the current rate-limit.

Our Bloodhound instance is strongly secured on the network level and only reachable for very few individuals. Therefore I would happily take the tradeoff and would even disable the rate limit. Or at least set it to a very high number.

Daniel-CS-Team avatar Dec 17 '25 07:12 Daniel-CS-Team