C# MVC:防止 ASP.NET 站点拒绝服务 (DOS) 攻击的好方法是什么?
我正在寻找一种好的且廉价的方法来防止我的 ASP.NET MVC 站点上的拒绝服务攻击。
我一直在考虑一种拦截 HttpHandler 然后对 Cache 对象中的请求进行计数的解决方案,其密钥类似于“RequestCount_[IpAddressOfRequestClient]”,但这似乎会产生疯狂的开销。
任何想法将不胜感激。 谢谢你!
I'm looking for a good and inexpensive way to prevent denial of service attacks on my ASP.NET MVC site.
I've been thinking about a solution that intercepts the HttpHandler and then counts requests in the Cache object, with the key being something like "RequestCount_[IpAddressOfRequestClient]" but that seems like it would generate a crazy overhead.
Any ideas would be greatly appreciated. Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可能会考虑尝试限制请求。 通过 IP 和/或 cookie 识别用户,并将请求限制为(例如)每两秒 1 个。 人类不会注意到,但这会大大减慢机器人的速度。
这在应用程序级别有所帮助(保护您的应用程序/数据库),但它不是一个完整的解决方案,因为点击仍然来自网络级别。
作为前线防御,我可能会依赖硬件。 许多 ISP 提供一些保护,例如:http://www.softlayer.com/facilities_network_n2.html
You might consider trying to throttle the requests. Identify users by IP and/or cookie and limit requests to (say) 1 every two seconds. A human wouldn't notice, but this would slow down a bot considerably.
This helps at the application level (protects your app/database) but it's not a complete solution, as the hits are still coming at the network level.
As a front line of defense I would probably depend on hardware. Many ISPs offer some protection, eg: http://www.softlayer.com/facilities_network_n2.html
这是一个非常古老的问题,但我希望这个参考对其他人有帮助。
现在我们使用“API Protector .NET”(https://apiprotector.net)保护我们的 API 免受 DoS 和 DDoS 攻击。
它也是一个与 MVC、WebApi 和 .NetCore 兼容的库,为我们带来了非常好的结果,无论是简单性,还是从根本上来说强>可维护性。 有了这个库,您可以用一行代码以非常具体的方式保护 API 的每个函数。
正如 API Protector .NET 网站中所述:
唯一的缺点是它的成本为 5 美元,但它以非常低的价格为我们提供了我们正在寻找的东西,这与 WebApiThrottle 库不同,尽管它是我尝试的第一个选项(因为它是免费),当我们想要以特定方式保护不同的功能时(正如所解释的,这对于有效保护至关重要),它最终变得不切实际且无法维护。
API Protector .NET 允许组合不同的保护(按 IP、按用户、按角色、一般情况等),用一行装饰每个功能,这使其易于实现和维护。 有关详细说明,请阅读:https://apiprotector.net/how-it-works
一个有趣的轶事是,不久前,当我们仍在使用 WebApiThrottle 保护我们的 API 时,我们做了一些模拟 DDoS 攻击的测试,其中有来自不同主机的许多并行请求,出于某种原因,(我认为这是由于与线程同步相关的原因),函数中出现了突发的请求,并且随着服务器已经过载,限制开始了。 再加上难以维护,我们对可靠的保护没有太多信心,这就是为什么我们最终尝试了这种效果良好的替代方案。
This is a very old question, but I hope this reference helps someone else.
Now we are using 'API Protector .NET' (https://apiprotector.net) to protect our APIs against DoS and DDoS attacks.
It's a library compatible with MVC, WebApi and .NetCore too, that has given us very good results, both in simplicity, but fundamentally in maintainability. With this lib you can protect each function of your API litterally with a single line, and in a very specific way.
As is explained in the website of API Protector .NET:
The only negative point is that it costs USD 5, but it gave us what we was looking for at a very low price, unlike the WebApiThrottle library that although it was the first option I tried (because it is free), it ended up being impractical unmaintainable when we wanted to protect different functions in a specific way (which is critical for effective protection, as explained).
API Protector .NET allows to combine different protections (by ip, by user, by role, in general, etc) decorating each function with a single line, which makes it easy to implement and maintain. For a detailed explaination read: https://apiprotector.net/how-it-works
An interesting anecdote is that time ago, when we still protecting our APIs with WebApiThrottle, we did some tests simulating DDoS attacks, with many parallel requests from different hosts, and for some reason, (I think that is due to something related to thread synchronization), bursts of requests came in to the functions, and late with the server already overloaded, the throttling started. This, added to the difficult maintainability, did not give us too much confidence for a solid protection, and that's why we ended up trying this alternative that works well.