Layered Traffic Management and Bot Mitigation for Peak Demand - Episode Hero Image

Layered Traffic Management and Bot Mitigation for Peak Demand

Software Engineering Radio - the podcast for professional software developers · · Listen to Original Episode →
Original Title:

TL;DR

  • Virtual waiting rooms prevent system overload during high-traffic events by queuing visitors, ensuring a fair user journey and preventing website crashes, thereby preserving the customer experience.
  • Edge workers and CDNs are leveraged to process initial traffic requests, reducing the load on customer origin servers and improving scalability and maintainability.
  • Bot traffic can constitute over 98% of requests during high-demand events, necessitating robust bot detection and mitigation strategies to ensure fairness for genuine users.
  • Eventual consistency in databases like DynamoDB is a deliberate design choice, enabling high throughput and scalability by tolerating minor delays in data synchronization.
  • During critical incidents, infrastructure can be migrated across logical boundaries, and new, warmed-up servers can be brought online to handle extreme traffic spikes and mitigate failures.
  • Graceful degradation on the client-side, such as showing cached data or delaying updates, is employed to mask intermittent server issues and prevent a poor user experience during high-load events.
  • Implementing protection at specific critical endpoints, like "add to cart," rather than broadly, balances bot prevention with avoiding unnecessary friction for legitimate users on less critical pages.

Deep Dive

Mojtaba Sarooghi's discussion on Queue-it's virtual waiting rooms highlights a critical need for managing extreme traffic spikes, particularly for high-demand events and product launches. The core argument is that without a sophisticated traffic management system, businesses risk system collapse, poor user experience, and the loss of sales to automated bots. This necessitates a layered approach to traffic management, bot detection, and resilient infrastructure design to ensure fairness and operational stability during peak demand.

The implications of this approach extend beyond simple load balancing. Firstly, the architecture emphasizes a distributed, edge-first strategy. By running connector code on Content Delivery Networks (CDNs) or edge workers, Queue-it intercepts traffic before it overloads the customer's origin servers. This prevents the cascading failures often seen when websites crash under sudden demand, ensuring a more consistent user experience--even if that experience is a virtual queue. The use of JavaScript or WebAssembly for edge connectors, and various languages for origin connectors, allows for flexible integration without heavily burdening the customer's core infrastructure.

Secondly, the sophistication of bot detection is a crucial second-order implication. Sarooghi reveals that up to 98% of traffic during some events can be bots. This underscores that simply managing human traffic is insufficient; robust bot mitigation is essential for fairness and to prevent resource exhaustion. Queue-it employs multiple strategies, including partner integrations with bot detection specialists, CAPTCHAs, machine challenges, and traffic access rules. The virtual waiting room itself acts as a buffer, providing a window for these detection mechanisms to analyze user behavior, making it more expensive and difficult for bots to operate at scale. This adversarial relationship--where bots innovate to bypass defenses, and Queue-it innovates to counter them--is a continuous cycle.

Thirdly, the reliance on AWS services like DynamoDB and the acceptance of eventual consistency reveal a pragmatic approach to scalability. While traditional banking systems might demand strict ACID compliance, Queue-it's domain allows for eventual consistency. This means that minor delays in data synchronization across nodes are acceptable, as the primary goal is high throughput and availability rather than immediate, perfect data accuracy for every request. This design choice is critical for handling hundreds of thousands, or even millions, of transactions per second. It allows the system to remain responsive during extreme spikes, even if a user's queue position might be slightly delayed in updating. This toleration for minor inconsistencies, coupled with strategies like pre-warming new servers and graceful degradation, is key to maintaining uptime.

Finally, the discussion of critical incidents and rapid resolution highlights the paramount importance of reliability. When an incident occurred due to traffic exceeding even provisioned capacity, the response involved quickly spinning up a new, pre-warmed environment and diverting traffic. This ability to isolate failures and rapidly reroute traffic is a testament to the system's design, which prioritizes resilience and minimizes user-facing disruption. The goal is not to eliminate all errors, but to manage them gracefully, preventing a complete system outage and ensuring that most users experience a delay or a slightly outdated queue position rather than a complete failure.

In essence, Queue-it's approach demonstrates that managing extreme traffic is not just about handling volume, but about creating a fair, resilient, and intelligent system that can distinguish between genuine users and bots, absorb unpredictable spikes, and maintain operational integrity even under duress. The core takeaway is that robust traffic management requires a multi-layered defense, a tolerance for eventual consistency in specific scenarios, and a design philosophy centered on resilience and rapid recovery.

Action Items

  • Audit bot traffic: Analyze 5-10 high-traffic events to quantify bot activity percentage and identify common bot patterns.
  • Implement edge worker connector: Deploy JavaScript connector to CDN edge for initial request validation, reducing origin server load.
  • Design dynamic outflow calculation: Develop logic to adjust waiting room outflow based on real-time user behavior and available capacity.
  • Refactor cold start mitigation: Modify new server warm-up process to use eventual consistency for visitor scores, avoiding thread starvation.
  • Establish cross-team incident response: Define clear communication and escalation paths for critical incidents affecting user experience and sales.

Key Quotes

"What we do we get that traffic and then based on some flow that our customers set we redirect back those visitors to the customer website actually what we call it is more like a traffic management tool that we have but what will happen under the hood or what is visible for our visitors is that when there is a ticket sales or there is a specific product drop there are a lot of people interested on that product so they go and try to buy that product imagine it could be a new iphone release or really interesting singer that wants to have a new concert so the website announced that there is the sale at this time a lot of people will go and try to buy that one we get the first hits we show a good user experience to the visitors and give them a fair user journey we redirect back traffic to the customer websites and they can buy the ticket or product that they are interested in"

Mojtaba Sarooghi explains that Queue-it acts as a traffic management tool, specifically a virtual waiting room, designed to handle surges of interest for high-demand events like concert tickets or product releases. Sarooghi highlights that their system intercepts initial traffic, provides a fair user experience through a virtual queue, and then redirects visitors back to the customer's website to complete their purchase.

"what we have we have a piece of code we call it connector that code has a responsibility to look at the request context on that specific add to card or visiting that specific ticketing page what will happen a visitor make a request to the backend and this connector code is running on the customer website that could be sitting on the edge which is cdn and we use edge compute we call it edge worker so that calculation or compute will happen on the edge or could be on the customer website that could be a php server net server or java server and in each language we have this connector what does it do is that look at the request look at the context when i'm saying context it's clear it could be cookie header or all the other information related to the http get or post if the request says that this specific visitor has not been in the waiting room what we do we do a redirect to the waiting room as a 302 response and then the visitor will see a page of the waiting room is presented to them"

Mojtaba Sarooghi details the technical implementation of their virtual waiting room system, explaining the role of the "connector" code. Sarooghi clarifies that this connector, which can run on the edge (CDN) or the customer's origin servers, analyzes the request context to determine if a visitor needs to be redirected to the waiting room. This redirection is performed via a 302 response, presenting the visitor with a customizable waiting room page.

"we are using aws as our cloud and then what we do if we go from the layered perspective we have cdn we have vaf and then we have application load balancer application load balancer get the request and based on the path of that request we are directing those requests with different services that doing their job for example imagine that we are showing a capture so on the specific path that says api capture we kind of choose the target in aws means that those microservices that are responsible for this one and because all of the services are behind this application load balancer we have this capability of scaling behind the scene so based on the scenario we can scale and say oh now the cpu response time or number of requests is high cpu response time is high again cpu usage is high and then based on that one we can automatically scale the back end which is pretty important for us then these microservices will do a calculation if it's needed we touch a database for the data for the database we are using as you mentioned in memory for some stuff that is more like a local or i need a really really fast one we are talking couple of milliseconds but also we are heavily using dynamodb in aws that is a really cool high throughput database that we have we have used it something i remember that i said in some state we were talking about 100 or 200k tps transactions per second for that one so it gives us quite a really great capability to handle the traffic spikes"

Mojtaba Sarooghi describes Queue-it's AWS-based infrastructure, emphasizing the use of Application Load Balancers to direct traffic to various microservices based on request paths. Sarooghi highlights the system's ability to automatically scale backend services based on metrics like CPU usage and request volume, which is crucial for handling traffic spikes. Sarooghi also mentions the use of in-memory stores for low-latency needs and DynamoDB for high-throughput data storage, capable of handling hundreds of thousands of transactions per second.

"actually this is a really interesting topic and i would say that one of the design practices that we have here is about this eventual consistency i would call it actually the type of the business that we work and design a product for is really important when i joined before i was working in kind of like an insurance or banking you could say system in that scenario when i moved to and i start to develop the engine and i was talking to a colleagues for me but wow you know you don't need to have the full transaction whenever you write i said for sure we don't because you know i need to support 100 000 requests per second that's not that's impossible so that is a really important fact here we don't need to have all the nodes know exactly at the specific point what is happening because we have this tolerancy okay one node is behind one second then the or 500 milliseconds they can get updated after a second so there is this factor heavily used in our design of the system not just this one also the fact that you know for example doing back off from the client side you know this is not all the same you know it's like eventually consistency and then back off they are different things but what i want to mention here is that in a specific scenario that we design a product for a specific business there is some tolerancy that we can use tolerancy of consistency tolerancy of time you know now for a human beings 50 milliseconds and 100 milliseconds is not a big factor so if there is a traffic really high and in some scenario we cannot in our design we need to design for the failure so if we think that the server or server get overcrowded so why not doing a back off for example on the client side or why not using the eventual consistency so for us it's used pretty well and we didn't see any negative impact on the business part i would say"

Mojtaba Sarooghi discusses the critical role of eventual consistency in their architecture, contrasting it with the strict transactional requirements of banking or insurance systems. Sarooghi explains that for their use case, supporting high request volumes necessitates a design that tolerates slight delays in data consistency across nodes, as a few hundred milliseconds of delay is often negligible for the end-user experience. Sarooghi asserts that this approach, combined with strategies like client-side backoff, has been successfully implemented without negative business impact.

"we have also different partners to work with related to the bot recognition recently we had this new product we call it hep with one of the

Resources

External Resources

Articles & Papers

  • "SE Radio 700: Mojtaba Sarooghi on Waiting Rooms for High-Traffic Events" (Software Engineering Radio) - Discussed as the primary context for the episode's technical deep dive.

People

  • Mojtaba Sarooghi - Distinguished Product Architect at Queue-it, featured guest.
  • Jeremy Jung - Host of Software Engineering Radio.

Organizations & Institutions

  • Queue-it (Qwit) - Company discussed for its virtual waiting room and traffic management solutions.
  • AWS (Amazon Web Services) - Cloud provider utilized for infrastructure, including Elastic Load Balancing, DynamoDB, and Simple Notification Service.
  • IEEE Computer Society - Sponsor of Software Engineering Radio.
  • IEEE Software magazine - Sponsor of Software Engineering Radio.
  • Akamai - Partner mentioned for bot recognition products and edge compute capabilities.

Tools & Software

  • Elastic Load Balancing - AWS service used for distributing traffic.
  • DynamoDB - AWS NoSQL database service used for high-throughput data storage.
  • Simple Notification Service (SNS) - AWS messaging service used for inter-service communication.
  • ASP.NET Core - Microsoft framework used for backend services.

Websites & Online Resources

  • se radio net - Website for Software Engineering Radio.
  • computer.org - Website for IEEE Computer Society and IEEE Software magazine.
  • github.com/queue-it - Repository for Queue-it's open-source connectors.

Other Resources

  • Virtual Waiting Room - Concept explained as a traffic management tool to prevent system overload during high-traffic events.
  • Edge Worker - Code running on the edge of a Content Delivery Network (CDN) to process requests.
  • Connector (SDK) - Piece of code provided by Queue-it to integrate with customer websites or CDNs for initial traffic checks.
  • DDoS (Distributed Denial of Service) attack - Type of attack discussed in relation to system resilience.
  • CAPTCHA - Security challenge used to distinguish between human users and bots.
  • Bot Recognition - Technology and strategies used to identify and block automated bot traffic.
  • Eventual Consistency - Database property of DynamoDB discussed in the context of system design and tolerating slight delays in data updates.
  • Graceful Degradation - Design practice where a system continues to function with reduced capabilities during high load or failures.

---
Handpicked links, AI-assisted summaries. Human judgment, machine efficiency.
This content is a personally curated review and synopsis derived from the original podcast episode.