当前位置: 文江博客话题详情

ASP.Net模块阻止DOS攻击

发布于 2025-01-03 11:07:00 字数 505 浏览 1 评论 0原文

我想以编程方式保护我的 ASP.Net 4.0 网站免受有害的重复请求。如果我注意到某个 IP 的请求数量很高,那么我想将该 IP 阻止一段时间(例如,如果有人编写 FOR 循环并一遍又一遍地请求该网页)。我知道最好的防御措施不是向未经身份验证的用户提供数据,但不幸的是,某些公共页面数据量很大,我对此无能为力。

我今天查看了一些解决方案,但没有一个令我满意。我猜这是一个非常常见的问题,我不想从头开始实现这样的事情。

我看到作为模块实现的解决方案,我会喜欢做同样的事情,但做得更好。我需要以下功能:

  • 检测到非人类模式后阻止 IP
  • 最好实现为 HttpModule
  • 允许爬虫通过
  • 阻止应在一定时间间隔后过期
  • 轻量级:该模块不应减慢网站速度或访问数据库
原文

I would like to programmatically protect my ASP.Net 4.0 website from harmful repeated requests. If I notice high request number from an IP then I would like to block that IP for a certain time (ex. in case someone writes a FOR cycle and requests the webpage over and over). I know that the best defense is not to server data to unauthenticated users but unfortunately some public pages are data-heavy and there is nothing I can do about it.

I looked at some solutions today but none of them satisfied me. I am guessing that this is a very common issue and I would not like to implement something like this from scratch.

I saw a solution implemented as a module and I would like to do the same but better. I need the following features:

  • Block IP after detecting a non-human pattern
  • Preferably implemented as an HttpModule
  • Allow the crawlers through
  • Block should expire after a certain interval
  • Lightweight: the module should not slow down the website or access the database

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

失与倦" 2025-01-10 11:07:00

解决上述问题有两种方法:

  1. 使用 IIS 动态 IP 限制模块
  2. 使用 Github 上的 HackerSpray 库

对于第一种方法,

IIS 的动态 IP 限制扩展为 IT 专业人员和主机托管商提供了一个可配置模块,该模块可暂时阻止遵循特定规则的 HTTP 客户端的 Internet 协议 (IP) 地址,从而帮助缓解或阻止拒绝服务攻击或暴力破解密码。可能有利于此类攻击之一的模式。可以配置此模块,以便可以在 Web 服务器或网站级别完成分析和阻止。

来源https://www.iis.net /downloads/microsoft/dynamic-ip-restrictions

对于第二种方法,

HackerSpray 使用 Redis 来维护操作和源 IP 的高性能计数器。您调用 Hacker.Defend(key, ip) 来检查某个密钥或 IP 是否命中过多。您可以维护密钥、IP 或 IP 范围的黑名单。 HackerSpray 会检查对密钥的过多点击、对 IP 的过多点击或 IP 落入黑名单。它还允许将某个 IP 的某个密钥列入黑名单,或者即时阻止所有 IP 的某个密钥。当您想要阻止用户访问某些 URL 时非常方便。

它带有一个 HttpModule,可以保护您的整个网站。

调用示例:

var result = await Hacker.DefendAsync("/Account/LogOn", Request.UserHostAddress);

if (result == Hacker.Result.TooManyHitsFromOrigin) 
    await Hacker.BlacklistOriginAsync(Request.UserHostAddress, TimeSpan.FromMinutes(10)); 

else if (result == Hacker.Result.TooManyHitsOnKey) 
    await Hacker.BlacklistKeyAsync("/Account/LogOn", TimeSpan.FromMinutes(10));


 Hacker.DefendAsync("/Account/PasswordReset", Request.UserHostAddress, TimeSpan.FromMinutes(5), 100);
 Hacker.DefendAsync("Username" + username, Request.UserHostAddress);
 Hacker.DefendAsync("Comment", Request.UserHostAddress);

LoginController 示例:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
    if (!ModelState.IsValid)
    {
        return View(model);
    }
   return await Hacker.DefendAsync<ActionResult>(async (success, fail) =>
   {
       // This doesn't count login failures towards account lockout
       // To enable password failures to trigger account lockout, change to       shouldLockout: true
        var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
    switch (result)
    {
        case SignInStatus.Success:
            return await success(RedirectToLocal(returnUrl));
        case SignInStatus.LockedOut:
            return await fail(View("Lockout"));
        case SignInStatus.RequiresVerification:
            return await success(RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe }));
        case SignInStatus.Failure:
        default:
            ModelState.AddModelError("", "Invalid login attempt.");
            return await fail(View(model));
    }
},
blocked => new HttpStatusCodeResult(HttpStatusCode.Forbidden),
    "ValidLogin:" + model.Email, 3, TimeSpan.FromMinutes(5),
    "InvalidLogin:" + model.Email, 4, TimeSpan.FromMinutes(5),
    Request.GetClientIp()
); }

在 web.config 中,您需要使用 HttpModule 指定要保护的路径。

<HackerSprayConfig redis="localhost" prefix="AuthTest:">
<keys>
  <add name="/Account/LogOn/" post="true" maxAttempts="100" interval="00:10:00" mode="perkeyperorigin" />
  <add name="/Home/" post="false" maxAttempts="10000" interval="00:01:00" mode="perorigin" />
  <add name="/" post="false" maxAttempts="10000" interval="00:01:00" mode="perorigin" />
</keys> </HackerSprayConfig>
  • redis - 这是 Redis 服务器的连接字符串。
  • prefix - 在 redis 中创建的所有键都以此为前缀。
  • 键 - 您要保护的每个路径一个条目
  • name - 匹配 post 的路径
  • - true = POST,false = GET
  • maxAttempts - 允许的最大命中次数
  • 间隔 - 命中多长时间?
  • 模式 - 如何计算点击次数并应用阻止
    • perkey - 对所有 IP 对此键的点击进行计数。例如,10 分钟内最多允许主页 1000000 次点击。
    • perorigin - 在检查对此键的命中时,如果源 IP 在任何键上产生的命中总数超过 maxAttempts,则阻止。例如,允许每个 IP 对任意键进行 1000 次点击,但在登录页面点击时执行此检查。
    • perkeyorigin - 每个 IP 对此键的点击次数。例如,登录页面上每个 IP 的点击次数为 1000 次。

来源/来源https://github.com/oazabir/HackerSpray

There are 2 approaches for the above problem:

  1. Using IIS Dynamic IP Restrictions module
  2. Using HackerSpray Library on Github

For 1st approach,

The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.

source: https://www.iis.net/downloads/microsoft/dynamic-ip-restrictions:

For 2nd Approach,

HackerSpray uses Redis to maintain high-performance counters for actions and origin IPs. You call Hacker.Defend(key, ip) to check if a certain key or IP has made too many hits. You can maintain blacklists for key, IP or IP Range. HackerSpray checks against too many hits on a key, too many hits on an IP, or IP falling within blacklists. It also allows blacklisting a certain key for a certain IP or blocking a certain key for all IPs on-the-fly. Handy when you want to block a user out of certain URLs.

It comes with a HttpModule, which protects your entire website.

Example calls:

var result = await Hacker.DefendAsync("/Account/LogOn", Request.UserHostAddress);

if (result == Hacker.Result.TooManyHitsFromOrigin) 
    await Hacker.BlacklistOriginAsync(Request.UserHostAddress, TimeSpan.FromMinutes(10)); 

else if (result == Hacker.Result.TooManyHitsOnKey) 
    await Hacker.BlacklistKeyAsync("/Account/LogOn", TimeSpan.FromMinutes(10));


 Hacker.DefendAsync("/Account/PasswordReset", Request.UserHostAddress, TimeSpan.FromMinutes(5), 100);
 Hacker.DefendAsync("Username" + username, Request.UserHostAddress);
 Hacker.DefendAsync("Comment", Request.UserHostAddress);

LoginController Example:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
    if (!ModelState.IsValid)
    {
        return View(model);
    }
   return await Hacker.DefendAsync<ActionResult>(async (success, fail) =>
   {
       // This doesn't count login failures towards account lockout
       // To enable password failures to trigger account lockout, change to       shouldLockout: true
        var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
    switch (result)
    {
        case SignInStatus.Success:
            return await success(RedirectToLocal(returnUrl));
        case SignInStatus.LockedOut:
            return await fail(View("Lockout"));
        case SignInStatus.RequiresVerification:
            return await success(RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe }));
        case SignInStatus.Failure:
        default:
            ModelState.AddModelError("", "Invalid login attempt.");
            return await fail(View(model));
    }
},
blocked => new HttpStatusCodeResult(HttpStatusCode.Forbidden),
    "ValidLogin:" + model.Email, 3, TimeSpan.FromMinutes(5),
    "InvalidLogin:" + model.Email, 4, TimeSpan.FromMinutes(5),
    Request.GetClientIp()
); }

In the web.config, you need to specify which paths to protect using the HttpModule.

<HackerSprayConfig redis="localhost" prefix="AuthTest:">
<keys>
  <add name="/Account/LogOn/" post="true" maxAttempts="100" interval="00:10:00" mode="perkeyperorigin" />
  <add name="/Home/" post="false" maxAttempts="10000" interval="00:01:00" mode="perorigin" />
  <add name="/" post="false" maxAttempts="10000" interval="00:01:00" mode="perorigin" />
</keys> </HackerSprayConfig>
  • redis - This is the connection string to Redis server.
  • prefix - All keys created in redis is prefixed with this.
  • keys - one entry per path that you want to protect
  • name - The Path to match
  • post - true = POST, false = GET
  • maxAttempts - max number of hits to allow
  • interval - hits for how long?
  • mode - How to count the hits and apply blocking
    • perkey - count hits from all IPs to this key. For ex, allow maximum 1000000 hits to Home page in 10 minutes period.
    • perorigin - While checking hits to this key, if the origin IP has produced more than the maxAttempts hit overall on any key, then block. For ex, allow 1000 hits per IP, to any key, but do this check on Login page hit.
    • perkeyorigin - Count hits to this key, per IP. For example, 1000 hits per IP on the Login page.

Credits / Source: https://github.com/oazabir/HackerSpray

回复 原文
~没有更多了~

关于作者

浅笑依然

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

tomoekana

文章 0 评论 0

无边思念无边月

文章 0 评论 0

眼角的笑意。

文章 0 评论 0

在风中等你

文章 0 评论 0

是你

文章 0 评论 0

syong71

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文