ASP. NET Website Restricted Access Frequency

Recently I made a free text message to a small website (http://freesms.cloudapp.net/), but found someone recently cracked my verification code, use my text message service to send his advertisement every 3 seconds. Change Verification CodeProgramAnd filter keywords are only temporary and Non-permanent solutions. to completely prevent such events, let's take a look at how to implement them through optimization programs.

In fact, in addition to preventing other people from sending requests, the same program also applies to preventing DoS attacks. Let's take a look.

Basic Objectives: Limit the frequency of accessing the website from the same IP address. For example, the limit is that users from the same IP address can only access the Home Page 40 times and other pages 240 times every 200 minutes.

For example, you can now open the http://freesms.cloudapp.net/this site to try, refresh 40 times, you can find that you can not access the correct site content again within 4 hours.

Basic Ideas:

1. Use httpcontext. cache to record access times
2. The IP value and the user access method can be used as the common key to restrict different user access methods.
3. Call response. End () when the quota is exceeded ().

DetailsCode:

1. Define the duration

In this example, we use 240 minutes as the time limit.

Private const intDuration= 240

Ii. Define access method Enumeration

Different access methods are restricted. In this example, we only distinguish between normal access and PostBack access. In normal applications, you can also add different page access restrictions as needed.

Public EnumActiontypeenum{Normal = 40, PostBack = 100}

Iii. Judgment Logic

1. When an IP address is accessed in a certain access mode for the first time, add the cache key = access mode + IP address, and return true.
2. If the key already exists, increase the number of visits and return true
3. If the number of times is exceeded, false is returned.

Public static bool Isvalid ( Actiontypeenum Actiontype ){ Httpcontext Context = Httpcontext . Current; If (Context. Request. browser. crawler) Return false ; String Key = actiontype. tostring () + context. Request. userhostaddress; Int Hit = ( Int32 ) (Context. cache [Key]? 0 ); If (Hit> ( Int32 ) Actiontype) Return false ; Else Hit ++; If (Hit = 1) {context. cache. Add (Key, hit, Null , Datetime . Now. addminutes (duration), system. Web. caching. Cache . Noslidingexpiration, system. Web. caching. Cacheitempriority . Normal, Null );} Else {Context. cache [Key] = hit ;} Return true ;}

4. Call

The judgment function must be called in the oninit method of the page. Here we need to use some defined logic to determine different access methods. The following example is the simplest one. It only distinguishes normal access from PostBack.

 Protected override void Oninit ( Eventargs E ){ Base . Oninit (E ); If (! Ispostback ){ If (! Actionvalidator . Isvalid ( Actionvalidator . Actiontypeenum . Normal) {response. Write ( "You send messages too frequently and the system determines them as advertisements. Please contact the mailbox admin@cloudera.cn for advertising or other customized business. Thank you. -Http://freesms.cloudapp.net" ); Response. End ();}} Else { If (! Actionvalidator . Isvalid ( Actionvalidator . Actiontypeenum . PostBack) {response. Write ( "You send messages too frequently and the system determines them as advertisements. Please contact the mailbox admin@cloudera.cn for advertising or other customized business. Thank you. -Http://freesms.cloudapp.net" ); Response. End ();}}}

 

PS: the enemy is always fraudulent. Later, I found that the person uses proxy to change the IP address and continues to send advertisements through my service. This will continue to optimize the program, for example, recording the MD5 of the ad content as a key. You may also need to face a variety of "enemy situations ". Haha, I hope this article will help you!