解决.net接口防暴力调用问题

在 .NET 中,为解决接口防暴力调用问题,可通过限制请求频率实现。下面给出几种不同实现方式。

基于内存的简单速率限制

此方法适用于单服务器环境,它借助内存字典来记录每个客户端的请求次数和时间。

MemoryRateLimitMiddleware.cs

复制代码
using System;
using System.Collections.Concurrent;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;

public class MemoryRateLimitMiddleware
{
    private readonly RequestDelegate _next;
    private readonly ConcurrentDictionary<string, (int Count, DateTime LastRequestTime)> _requestCounts = new ConcurrentDictionary<string, (int Count, DateTime LastRequestTime)>();
    private readonly int _maxRequests;
    private readonly TimeSpan _timeWindow;

    public MemoryRateLimitMiddleware(RequestDelegate next, int maxRequests, TimeSpan timeWindow)
    {
        _next = next;
        _maxRequests = maxRequests;
        _timeWindow = timeWindow;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        var clientIp = context.Connection.RemoteIpAddress.ToString();
        var now = DateTime.UtcNow;

        if (_requestCounts.TryGetValue(clientIp, out var entry))
        {
            if (now - entry.LastRequestTime < _timeWindow)
            {
                if (entry.Count >= _maxRequests)
                {
                    context.Response.StatusCode = 429;
                    await context.Response.WriteAsync("请求频率过高,请稍后再试。");
                    return;
                }
                _requestCounts[clientIp] = (entry.Count + 1, entry.LastRequestTime);
            }
            else
            {
                _requestCounts[clientIp] = (1, now);
            }
        }
        else
        {
            _requestCounts.TryAdd(clientIp, (1, now));
        }

        await _next(context);
    }
}

Startup.cs

复制代码
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();

        app.UseMiddleware<MemoryRateLimitMiddleware>(100, TimeSpan.FromMinutes(1));

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

基于 Redis 的分布式速率限制

若应用部署在分布式环境,可使用 Redis 存储请求信息。需安装 StackExchange.Redis 包。

RedisRateLimitMiddleware.cs

复制代码
using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using StackExchange.Redis;

public class RedisRateLimitMiddleware
{
    private readonly RequestDelegate _next;
    private readonly IDatabase _redisDb;
    private readonly int _maxRequests;
    private readonly TimeSpan _timeWindow;

    public RedisRateLimitMiddleware(RequestDelegate next, ConnectionMultiplexer redis, int maxRequests, TimeSpan timeWindow)
    {
        _next = next;
        _redisDb = redis.GetDatabase();
        _maxRequests = maxRequests;
        _timeWindow = timeWindow;
    }

    public async Task InvokeAsync(HttpContext context)
    {
        var clientIp = context.Connection.RemoteIpAddress.ToString();
        var key = $"request_count:{clientIp}";

        var count = await _redisDb.StringGetAsync(key);
        if (count.HasValue)
        {
            var currentCount = int.Parse(count);
            if (currentCount >= _maxRequests)
            {
                context.Response.StatusCode = 429;
                await context.Response.WriteAsync("请求频率过高,请稍后再试。");
                return;
            }
            await _redisDb.StringIncrementAsync(key);
        }
        else
        {
            await _redisDb.StringSetAsync(key, 1, _timeWindow);
        }

        await _next(context);
    }
}

StartupRedis.cs

复制代码
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using StackExchange.Redis;

public class StartupRedis
{
    public void ConfigureServices(IServiceCollection services)
    {
        var redis = ConnectionMultiplexer.Connect("localhost");
        services.AddSingleton<IConnectionMultiplexer>(redis);
        services.AddControllers();
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IConnectionMultiplexer redis)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseRouting();

        app.UseMiddleware<RedisRateLimitMiddleware>(redis, 100, TimeSpan.FromMinutes(1));

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

解释

  • 基于内存的简单速率限制 :借助 ConcurrentDictionary 记录每个客户端的请求次数和时间,当请求频率超出限制时,返回 429 状态码。
  • 基于 Redis 的分布式速率限制:使用 Redis 存储请求信息,能处理分布式环境下的请求频率限制。
相关推荐
长孙豪翔19 小时前
在.net中读写config文件的各种方法
java·数据库·.net
GV191rLvq1 天前
查看w3wp进程占用的内存及.NET内存泄露,死锁分析
.net
界面开发小八哥1 天前
界面控件DevExpress .NET Reports v26.1新版亮点 - 持续增强可访问性
.net·界面控件·devexpress·ui开发·报表控件
wei1986212 天前
.net添加web引用和添加服务引用有什么区别?
java·前端·.net
pW3g3lLuu2 天前
.NET 高级开发 | http 接口对接和客户端开发技巧
网络协议·http·.net
CSharp精选营3 天前
.NET 8 与 .NET 9 支持终止倒计时:开发者需要了解什么
.net·lts·.net8·.net9·码农刚子·升级迁移·sts·支持终止
hez20106 天前
在 .NET 上构建超大托管数组
c#·.net·.net core·gc·clr
唐青枫12 天前
线程不是越多越快:C#.NET Thread 生命周期、同步与后台工作线程实战
c#·.net
唐青枫13 天前
别只会反射:C#.NET Emit 动态生成代码实战详解
c#·.net