阻止 IP 地址,防止 DoS 攻击
因此,这更多的是关于防止 DoS 攻击的最佳实践的一般性问题,我只是想了解大多数人如何处理来自同一 IP 地址的恶意请求,这也是我们目前遇到的问题。
我认为最好尽可能高地阻止真正恶意的 IP,以防止使用更多资源,尤其是在加载应用程序时。
想法?
So this is more of a general question on the best practice of preventing DoS attacks, I'm just trying to get a grasp on how most people handle malicious requests from the same IP address which is the problem we are currently having.
I figure it's better to block the IP of a truly malicious IP as high up as possible as to prevent using more resources, especially when it comes to loading you application.
Thoughts?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以通过多种方式防止 DoS 攻击的发生。
来自特定的 IP 地址。一次
已达到限制,您可以发送
重定向到缓存的错误页面
限制任何进一步的处理。你
或许还可以获得这些IP
地址已受防火墙保护,这样您就不会
必须处理他们的请求
全部。限制每个 IP 地址的请求
但如果
攻击者伪造源IP地址
在他们发送的数据包中。
智能融入您的应用程序以提供帮助
处理 DoS。使用谷歌地图
举个例子。每个单独的站点
必须有它自己的 API 密钥,我
相信限制为 50,000 个请求
每天。如果您的应用程序有效
以类似的方式,那么你想要
尽早验证此密钥
请求,这样你就不会使用太多
请求的许多资源。一次
该密钥的 50,000 个请求是
使用过的,可以发合适的代理
标头,以便所有未来的请求
(例如下一小时)
该键由反向处理
代理人。但这并不是万无一失的。如果
每个请求都有不同的 url,
那么反向代理将不得不
将请求传递给
后端服务器。你也会跑
如果 DDOS 使用大量,就会出现问题
不同的 API 密钥。
您的应用程序,您也许能够
将较大的 IP 范围列入黑名单
对 DDOS 贡献显着。
例如,如果您的网络服务是
仅限澳大利亚人,但你是
收到大量 DDOS 请求
韩国的一些网络,然后你
可以防火墙韩国网络。
如果您希望您的服务是
任何人都可以访问,那么你就出局了
祝你好运。
关闭商店并等待。如果
你有自己的IP地址或IP
范围然后你,你的托管公司
或者数据中心可以将空路由
流量,使其进入一个块
洞。
引用自此处。同一线程上还有其他解决方案。
You can prevent DoS attacks from occuring in various ways.
from a particular ip address. Once
the limit is reached, you can send a
redirect to a cached error page to
limit any further processing. You
might also be able to get these IP
address firewalled so that you don't
have to process their requests at
all. Limiting requests per IP address
wont work very well though if the
attacker forges the source IP address
in the packets they are sending.
smarts into your application to help
dealing with a DoS. Take Google maps
as an example. Each individual site
has to have it's own API key which I
believe is limited to 50,000 requests
per day. If your application worked
in a similar way, then you'd want to
validate this key very early on in
the request so that you don't use too
many resources for the request. Once
the 50,000 requests for that key are
used, you can send appropriate proxy
headers such that all future requests
(for the next hour for example) for
that key are handled by the reverse
proxy. It's not fool proof though. If
each request has a different url,
then the reverse proxy will have to
pass through the request to the
backend server. You would also run
into a problem if the DDOS used lots
of different API keys.
your application, you might be able
to black list large IP ranges that
contribute significantly to the DDOS.
For example, if your web service is
for Australian's only, but you were
getting a lot of DDOS requests from
some networks in Korea, then you
could firewall the Korean networks.
If you want your service to be
accessible by anyone, then you're out
of luck on this one.
close up shop and wait it out. If
you've got your own IP address or IP
range then you, your hosting company
or the data centre can null route the
traffic so that it goes into a block
hole.
Referenced from here. There are other solutions too on same thread.
更多在...
可以'由于 DOS 攻击而访问 Plesk Admin,通过 SSH 阻止 IP 地址?
more at...
Can't Access Plesk Admin Because Of DOS Attack, Block IP Address Through SSH?