httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From javalishixml <javalishi...@163.com>
Subject [users@httpd] Re:Re: [users@httpd] Re:Re: [users@httpd] how to block the duplicated requests?
Date Wed, 20 May 2015 08:26:31 GMT

Great thank you all.


More detail information is as below.


presudo-code step:


1. a register page named "http://mywebsite.com/register1.jsp" is set up, and this page contains
a CAPTCHA image 
2. the robot(crackers) will successfully register the thousands different users for this web
site during only several minutes.
3. if it is a human beings, these thousands different users should have different IPs. But
we find  these thousands different users are from same IPs.
By the way, we get the IP from HttpServletRequest header.
4. later, we setup a new register page. We change its url from "http://mywebsite.com/register1.jsp"
to "http://mywebsite.com/register2.jsp"
For the first several days, we find everthing is good.
But after several days, we find the robot(crackers) will successfully register the thousands
different users for this web site during only several minutes.


It's just reproduced steps for our case.


Our requirements are that:
1. we have a URL for register page. we don't want the thousands different users with same
IP could successfully registered during a very short time window.
2. We can have a policy to set a interval time window. Based on this interval time window,
the same IP should not register users again and again.
3. This policy should manage a group of URLs. We can always add the different URLs for this
policy.  Because based on our maintaining activities, we may set up many different register
page again and again.


Is it a DDOS attack? Is there a good way to resolve it at httpd level? Which apache mod is
best for my issue?




在 2015-05-20 05:11:13,"Kurtis Rader" <krader@skepticism.us> 写道:

On Tue, May 19, 2015 at 8:22 AM, javalishixml <javalishixml@163.com> wrote:

I see you speak "Though those modules exist, this might be best implemented in your application"

How can I understand it? I should write a c program for apache? or I should write some java
web application at tomcat level?

Because this is a web site, it has to face concurrency issue. So I prefer to resolve this
issue at httpd level.
Not sure if my thinking is good or not? 





Yehuda is correct. You should implement the rate limiting in your lottery code, not the web
server. You are rate limiting lottery attempts, not HTTP requests. Nor are you eliminating
duplicate requests. If you've never written a rate limiter the concept is fairly straightforward.
Google "token bucket". Below is a simple implementation I use in my httpd and sshd log monitoring
app to detect malware that is flooding my server with bogus requests. It uses a single token
bucket and is thus much simpler and uses less memory than more flexible implementations.


Here is an example of how it is used:


blackhole_source = False
if web_req.http_method == 'POST':
    rate_limiter = self.rate_limiter_post.get(ip_addr, None)
    if rate_limiter is not None:
        blackhole_source = rate_limiter()
    else:
        # Allow no more than two POST requests every five seconds.
        # In my experience legitimate WordPress administration doesn't
        # exceed this limit.
        self.rate_limiter_post[ip_addr] = util.RateLimiter(2, 5)


if blackhole_source:


And here is the implementation:


class RateLimiter():
    """Return true if the allowable rate has been exceeded."""
    # pylint: disable=too-few-public-methods


    def __init__(self, rate, per):
        """Initialize object for a specific situation (e.g., IP address).


        Note that rate and per must have the same temporal units; e.g., seconds.
        """
        if not isinstance(rate, int) or not isinstance(per, int):
            raise TypeError('rate and per must be integers')
        self.rate = float(rate)
        self.per = float(per)
        self.ratio = self.rate / self.per
        self.allowance = float(rate)
        self.last_check = time.time()


    def __call__(self):
        """Return True if the rate has been exceeded."""
        now = time.time()
        time_delta = now - self.last_check
        self.last_check = now
        self.allowance += time_delta * self.ratio
        if self.allowance > self.rate:
            self.allowance = int(self.rate)  # throttle
        if self.allowance < 1.0:
            return True
        else:
            self.allowance -= 1.0
            return False




--

Kurtis Rader
Caretaker of the exceptional canines Junior and Hank
Mime
View raw message