Protect again bursts with rate - limiting plugin

we would like to use the rate-limiting plugin to protect against a request burst.

Our setup is as follows, we are using docker based architecture (marathon)

  • 2 docker containers using Kong (0.13 CE) and a cluster based policy backed up by a PostgreSQL 9.6 database.
  • 2 back-end REST services which expose our database.

The problem is that a request can take up to 10 seconds, and if the client will perform several requests in multiple threads during that interval only the first one will be recorded by the rate limiting plugin, the rest of them will pass without any limitation.

This can lead to degrading of performance of our REST services, and even denial of service.

Can anybody give us any pointers on how to configure this ?



Can you give us more information about the way your setup?

  • How is your rate-limiting plugin configured?
  • Do you have any other plugins active?
  • How do you identify consumers?


we configured the rate limiting plugin per consumer with mainly the default values:

"created_at": 1525790898000,
"config": {
	"minute": 30,
	"policy": "cluster",
	"month": 50000,
	"redis_timeout": 2000,
	"limit_by": "consumer",
	"second": 5,
	"day": 5000,
	"hide_client_headers": false,
	"redis_port": 6379,
	"redis_database": 0,
	"fault_tolerant": true
"id": "62dd99b4-ab90-47ad-bc65-ac60d07bf705",
"name": "rate-limiting",
"enabled": true,
"consumer_id": "b63102ba-9cc5-46bd-9db7-885657f58636"

We have the additional plugins: response-tranformer. http-log and key-auth.

We identify customers using the key-auth plugin