The token bucket algorithm is often used in packet switched computer networks and telecommunications networks to rate-limit or throttle traffic flows.
In the CentralNic Registry Services team, we had a need to implement a light-weight rate-limiting system on the login forms which protect our Registrar Console and other internal systems. We have a wide range of security measures in place to prevent brute-force attacks against accounts with weak passwords such as two-factor authentication, auto-locking of accounts after too many failed logins and so on. However, we had no protection against brute-force password reuse attacks such as the one that recently (as of 2018) hit GitHub.
This article was originally published elsewhere in 2018. As the article describes, CentralNic Registry Services’ token bucket implementation was originally deployed to add rate limiting to the login form of the CentralNic Registrar Console. Since then, it has also been deployed in other mission-critical systems such as the Whois and RDAP systems, where it replaced a rate-limiting system based on an SQL database. Switching to this system has increased the performance of the Whois and RDAP services by an estimated 30%.
CentralNic Group Plc (LON:CNIC) provides registry services, distribution, and strategic consultancy for new TLDs, ccTLDs and SLDs.