Secure your API proxy's target backend against severe traffic spikes and denial of service attacks.
| Section | Belongs in | Purpose |
|---|---|---|
| Plugin overview | README.md |
Explains what the plugin does and how to use it |
| How to use flood-control plugin | README.md |
Explains how to setup and use custom plugin |
| How to run Kong locally | CONTRIBUTING.md |
Helps contributors test the plugin |
| Development guidelines | CONTRIBUTING.md |
Defines coding practices and standards |
| How to submit a PR | CONTRIBUTING.md |
Guides on forking, branching, and creating PRs |
| Plugin functionality code | handler.lua |
Plugin functionality code to be executed |
| Plugin Schema code | schema.lua |
Plugin configuration schema definition |
The Flood Control Plugin is a custom Kong plugin designed to control sudden bursts of traffic, similar to the Spike Arrest policy in Apigee or Spike Control policy in Mulesoft. It limits the rate of incoming requests based on either the client IP address or the authenticated consumer, helping to smooth out traffic spikes and protect backend services from overload.
Unlike traditional rate limiting, which counts requests over a fixed time window, Flood Control focuses on smoothing the rate of traffic flow in real-time.
By using this plugin, you can:
- Protect APIs from DDoS attacks and malicious traffic bursts.
- Prevent backend system overload due to sudden spikes in traffic.
- Reduce the risk of system downtime by smoothing out request rates.
- Improve overall API reliability and performance under load.
You can deploy the Flood Control plugin using one of the following methods:
-
Copy your plugin code (schema.lua and handler.lua) to the Kong node under:
/usr/local/share/lua/5.1/kong/plugins/flood-controlMake sure to give appropriate file permissions to the plugin directory and all files in it.
e.g. In Unix, chmod 777 *.lua
-
Update the
KONG_PLUGINSenvironment variable or kong.conf file: This enables use of flood-control pluginexport KONG_PLUGINS=bundled,flood-control -
Allocate shared memory: This enables to store Identifier and the time when last API call was made by this identifier
vi /usr/local/share/lua/5.1/kong/templates/nginx_kong.lua ## add below line near similar lines lua_shared_dict flood_control 10m;
-
Restart Kong.
kong restart -c /etc/kong/kong.conf
Follow the official Kong guide to build a Docker image with your plugin: 👉 Deploy Plugins - Kong Docs
Package and install your plugin using LuaRocks: 👉 Installation and Distribution - Kong Docs
To use the plugin in sevice, route or global:
- Enable the plugin on a Service, Route or Global.
- Select the Identifier Type:
iporconsumer. - Enter the Rate: The number of API requests that can be made per time unit (second/minute).
- Select the Unit:
secondorminute.
Example configuration:
curl -i -X POST http://localhost:8001/services/my-service/plugins \
--data "name=flood-control" \
--data "config.identifier_type=ip" \
--data "config.rate=5" \
--data "config.interval=minute"Here are some test scenarios:
To ensure simplicity in understanding the plugin behaviour, I added below simple test cases.
| Identifier Type | Rate Limit | Expected Behavior |
|---|---|---|
| ip | 2 reqs/min | Only 1 request every 30 seconds should be succeessful for a client IP. |
| consumer | 2 reqs/min | Only 1 request every 30 seconds should be succeessful for a consumer. |
| ip | 2 reqs/sec | Only 1 request every 500 miliseconds should be succeessful for a client IP. |
| consumer | 2 reqs/sec | Only 1 request every 500 miliseconds should be succeessful for a consumer. |
Use tools like curl, insomnia or postman to simulate the traffic and observe plugin behavior.
| Feature | Flood Control | Rate Limiting |
|---|---|---|
| Purpose | Smooth out traffic spikes | Enforce strict request quotas |
| Use Case | Prevent sudden bursts (e.g., DDoS) | Limit total requests over a time window |
| Storage | Shared memory (in-memory) | Database or shared memory |
| Best For | Real-time traffic shaping | Usage-based billing or quota enforcement |
Use Flood Control when you want to protect your backend from sudden traffic spikes or denial-of-service attacks.
Avoid using Flood Control when you need to count and limit total number of requests over a time window. For that, use the Rate Limiting or Rate Limiting Advanced plugin.
- Database Storage: ❌ No
- Shared Memory Storage: ✅ Yes
The plugin uses shared memory for fast, in-memory request tracking, ensuring low latency and high performance.
| Feature | Apigee | MuleSoft | Kong |
|---|---|---|---|
| Name | Spike Arrest | Spike Control | Flood Control (This plugin) |
| Purpose | Smooth traffic bursts | Smooth sudden traffic spikes | Smooth traffic spikes |
| Granularity | Per App or API | Per App/API (via API Manager) | Per IP or Consumer |
| How it works | Limits request rate per interval (e.g., 2 req/ms) | Controls how fast traffic can reach the API (max reqs/sec) | Real-time smoothing (custom Lua logic) |