Too Many Requests - what is error 429 and how does it occur?

The transmission of status codes allows the Hypertext Transfer Protocol (HTTP) to inform the client of the current state with each request and to report successful processing or the occurrence of errors. When these occur, a web server identifies the type and origin through a 400 status code for problems caused by the client and a 500 status code when the likely cause lies with the server. One of the more common messages is the 429 Too Many Requests status code, which sometimes appears seemingly without a specific reason. Unfortunately, one of the problematic aspects of this is that it often affects the administrator of a website themselves.

What principle is behind the 429 status code?

To allow for quick and clear identification, the standard HTTP uses a simple and clear classification that allows for a direct inference from a message such as a 400 status code to its meaning and likely cause. Officially, there are five different categories, each allowing for a definition of 100 different states and sorted into the following groups based on their first digit:

• Status codes 100 to 199 describe informative details such as a protocol switch
• Status codes 200 to 299 indicate the successful processing of a request
• Status codes 300 to 399 indicate a redirection
• Status codes 400 to 499 represent errors caused by the client
• Status codes 500 to 599 indicate problems that (presumably) originate from the server

The order in this specific number range corresponds to a historical development rather than their distribution - therefore, it is largely arbitrary. For example, internet users most commonly encounter the HTTP Error 404 Not Found with a 400 status code, rather than 400 Bad Request. While the 429 Too Many Request error occurs regularly, the top spots after 404 are held by status codes 400 Bad Request, 401 Unauthorized, 403 Forbidden, and 408 Request Timeout.

What does the 429 status code indicate?

The status code 429 Too Many Connections, or translated as "Too many connections," is often misunderstood. It does not indicate that the server is currently receiving too many requests overall, as would be the case in a DDoS attack, for example. Instead, it refers to the accesses by a single client, which is why the server fundamentally rejects further attempts. The root cause, however, primarily lies with the client, which is why it is classified as a 400 status code, rather than being an error message caused by the server with a code of 500 or higher.

In essence, the 429 Too Many Requests error simply indicates that the server has detected a new request, even though there are already a large number of open connections. This behaviour was typically associated with attacks in the context of DDoS, where attempts are made to flood a server with a steadily increasing number of clients in order to reserve all available resources and capacities for ongoing processes. However, it makes sense not only for this reason to limit the maximum possible number of requests for individual users - similar practices are considered an essential standard in various areas of IT security to restrict the consumption of computing power and opportunities for password testing.

What triggers a status code 429?

One of the challenges is that a status code 429 Too Many Requests can be triggered by various sources. The simplest scenario involves a browser keeping numerous tabs or tabs open to the same address and updating the connections at short intervals - although this is a rare exception. In practice, other technical reasons dominate, which are not as easily diagnosed. The most common among them include:

• Poorly programmed or incorrectly configured plug-ins
• Incorrect tracking of requests, such as missing resets of the counter
• Many open connections due to interactive or multimedia elements
• Multiple identification and counting based on IP address and cookies
• Simultaneous, unfinished redirects, such as from HTTP to HTTPS
• Collective registration of different protocols like FTP and SSH over HTTP
• Viruses or trojans establishing additional connections in the background

Unfortunately, the origins of an error 429 Too Many Requests - as with almost every 400 status code - prove to be extremely diverse and require a precise analysis of the log files to identify the reason definitively. Because the problem can be caused by both the client and the server, unilateral measures do not necessarily guarantee success. However, they do point to clues as to where the status code 429 Too Many Requests originates and how to resolve it. If simple measures such as restarting the browser and deleting existing cookies for the relevant page and third parties do not bring a solution, a closer analysis of the traffic using tools like Netstat on Linux breaks down the number of connections and shows which processes and requests are causing this state.

Photo: Gerd Altmann Pixabay