解决.net接口防暴力调用问题

在 .NET 中,为解决接口防暴力调用问题,可通过限制请求频率实现。下面给出几种不同实现方式。

基于内存的简单速率限制

此方法适用于单服务器环境,它借助内存字典来记录每个客户端的请求次数和时间。

MemoryRateLimitMiddleware.cs

复制代码
using System;
using System.Collections.Concurrent;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;

public class MemoryRateLimitMiddleware
{
    private readonly RequestDelegate _next;
    private readonly ConcurrentDictionary<string, (int Count, DateTime LastRequestTime)> _requestCounts = new ConcurrentDictionary<string, (int Count, DateTime LastRequestTime)>();
    private readonly int _maxRequests;
    private readonly TimeSpan _timeWindow;

    public MemoryRateLimitMiddleware(RequestDelegate next, int maxRequests, TimeSpan timeWindow)
    {
        _next = next;
        _maxRequests = maxRequests;
        _timeWindow = timeWindow;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        var clientIp = context.Connection.RemoteIpAddress.ToString();
        var now = DateTime.UtcNow;

        if (_requestCounts.TryGetValue(clientIp, out var entry))
        {
            if (now - entry.LastRequestTime < _timeWindow)
            {
                if (entry.Count >= _maxRequests)
                {
                    context.Response.StatusCode = 429;
                    await context.Response.WriteAsync("请求频率过高,请稍后再试。");
                    return;
                }
                _requestCounts[clientIp] = (entry.Count + 1, entry.LastRequestTime);
            }
            else
            {
                _requestCounts[clientIp] = (1, now);
            }
        }
        else
        {
            _requestCounts.TryAdd(clientIp, (1, now));
        }

        await _next(context);
    }
}

Startup.cs

复制代码
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();

        app.UseMiddleware<MemoryRateLimitMiddleware>(100, TimeSpan.FromMinutes(1));

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

基于 Redis 的分布式速率限制

若应用部署在分布式环境,可使用 Redis 存储请求信息。需安装 StackExchange.Redis 包。

RedisRateLimitMiddleware.cs

复制代码
using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using StackExchange.Redis;

public class RedisRateLimitMiddleware
{
    private readonly RequestDelegate _next;
    private readonly IDatabase _redisDb;
    private readonly int _maxRequests;
    private readonly TimeSpan _timeWindow;

    public RedisRateLimitMiddleware(RequestDelegate next, ConnectionMultiplexer redis, int maxRequests, TimeSpan timeWindow)
    {
        _next = next;
        _redisDb = redis.GetDatabase();
        _maxRequests = maxRequests;
        _timeWindow = timeWindow;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        var clientIp = context.Connection.RemoteIpAddress.ToString();
        var key = $"request_count:{clientIp}";

        var count = await _redisDb.StringGetAsync(key);
        if (count.HasValue)
        {
            var currentCount = int.Parse(count);
            if (currentCount >= _maxRequests)
            {
                context.Response.StatusCode = 429;
                await context.Response.WriteAsync("请求频率过高,请稍后再试。");
                return;
            }
            await _redisDb.StringIncrementAsync(key);
        }
        else
        {
            await _redisDb.StringSetAsync(key, 1, _timeWindow);
        }

        await _next(context);
    }
}

StartupRedis.cs

复制代码
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using StackExchange.Redis;

public class StartupRedis
{
    public void ConfigureServices(IServiceCollection services)
    {
        var redis = ConnectionMultiplexer.Connect("localhost");
        services.AddSingleton<IConnectionMultiplexer>(redis);
        services.AddControllers();
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IConnectionMultiplexer redis)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();

        app.UseMiddleware<RedisRateLimitMiddleware>(redis, 100, TimeSpan.FromMinutes(1));

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

解释

  • 基于内存的简单速率限制 :借助 ConcurrentDictionary 记录每个客户端的请求次数和时间,当请求频率超出限制时,返回 429 状态码。
  • 基于 Redis 的分布式速率限制:使用 Redis 存储请求信息,能处理分布式环境下的请求频率限制。
相关推荐
FL16238631296 小时前
Windows Server2012 R2 安装.NET Framework 3.5
.net
CodeCraft Studio10 小时前
Aspose.Words for .NET 25.7:支持自建大语言模型(LLM),实现更安全灵活的AI文档处理功能
人工智能·ai·语言模型·llm·.net·智能文档处理·aspose.word
要记得喝水10 小时前
C#某公司面试题(含题目和解析)--1
开发语言·windows·面试·c#·.net
SEO-狼术11 小时前
Aqua Data Studio 25.5
.net
MasterNeverDown1 天前
.net 微服务jeager链路跟踪
微服务·架构·.net
喵叔哟2 天前
51.【.NET8 实战--孢子记账--从单体到微服务--转向微服务】--新增功能--登录注册扩展
数据库·微服务·.net
时光追逐者2 天前
.NET 使用 CsvHelper 快速读取和写入 CSV 文件
c#·.net·.net core·csv
界面开发小八哥2 天前
文档控件DevExpress Office File API v25.1新本亮点:重磅升级各类API
c#·.net·界面控件·devexpress·ui开发
追逐时光者3 天前
.NET 使用 CsvHelper 快速读取和写入 CSV 文件
后端·.net
Kookoos3 天前
差分隐私在运营指标:ABP 的 DP 计数器与噪声预算
.net·差分隐私·abp vnext·拉普拉斯机制·隐私预算