gpt4 book ai didi

c# - 阻止用于访问资源的危险 IP

转载 作者:太空狗 更新时间:2023-10-30 01:06:22 24 4
gpt4 key购买 nike

环境

我的 IIS 托管一个带有 WebService 资源的 WebApp。

  • ...
  • 我的WebService.asmx
  • 我的WebService.svc
  • ...

问题

同样的坏人,尝试阻止服务器使用他们的机器人访问公共(public)资源。

应用解决方案

  1. 我构建了一个过滤器:

    public class BadGuysFilter
    {
    private class BadGuy
    {
    public BadGuy()
    {
    Visits = 0;
    FirstSuspiciousVisit = DateTime.Now;
    }

    public int Visits;
    public DateTime FirstSuspiciousVisit;
    }

    private static volatile Dictionary<string, BadGuy> _blackList = new Dictionary<string, BadGuy>();
    private static int _visitsLimit = 10;
    private static int _minutsLimit = 10;
    private static int _removeFromBlackListMinutesLimit = 30;

    public static void Init(int visitsLimit = 10, int minutsLimit = 10, int removeFromBlackListMinutesLimit = 30)
    {
    _visitsLimit = visitsLimit;
    _minutsLimit = minutsLimit;
    _removeFromBlackListMinutesLimit = removeFromBlackListMinutesLimit;
    }

    public static bool IsBadGuy()
    {
    return IsBadGuy(HttpContext.Current.Request.UserHostAddress);
    }
    public static bool IsBadGuy(string ip)
    {
    if (HttpContext.Current.Request.IsAuthenticated /*|| HttpContext.Current.Request.HttpMethod.ToUpper() == "POST"*/)
    return false;

    if (_blackList.Keys.Any(k => k == ip))
    {
    _blackList[ip].Visits++;

    if (_blackList[ip].FirstSuspiciousVisit < DateTime.Now.AddMinutes(-_removeFromBlackListMinutesLimit))
    _blackList.Remove(ip);
    else if (_blackList[ip].FirstSuspiciousVisit < DateTime.Now.AddMinutes(-_minutsLimit))
    {
    _blackList[ip].Visits = 0;
    _blackList[ip].FirstSuspiciousVisit = DateTime.Now;
    }
    else if (_blackList[ip].Visits > _visitsLimit)
    {
    _blackList[ip].FirstSuspiciousVisit = DateTime.Now;
    return true;
    }
    }
    else
    _blackList.Add(ip, new BadGuy());

    return false;
    }
    public static void Punish()
    {
    var res = HttpContext.Current.Response;
    res.Clear();
    res.StatusCode = 429;
    res.StatusDescription = "TOO MANY REQUESTS: Your application is sending too many simultaneous requests.";
    res.End();
    }
    }
  2. Global.asax 中使用过滤器

    void Application_BeginRequest(object sender, EventArgs e) {
    if(BadGuysFilter.IsBadGuy())
    BadGuysFilter.Punish();

    // do stuff //
    }

    void Application_EndRequest(object sender, EventArgs e) {
    var app = (HttpApplication)sender;

    if (app.Context.Response.StatusCode == 429) // "TOO MANY REQUESTS"
    return;

    // do stuff //
    }

问题

这是一个足够安全的解决方案吗?或者也许还有其他方法?

编辑:“不要阻塞资源本身。阻塞更远的上游,例如在防火墙处。– Marc B”你是对的。这是最终解决方案,但在应用它之前我需要中间解决方案来保护我的服务器。我忘了提这件事。 – 阿尔蒂姆

最佳答案

您可以使用 IIS 动态 IP 限制模块(来自 Microsoft):

http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions

关于c# - 阻止用于访问资源的危险 IP,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15685862/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com