C# 为 Web 请求实现速率限制算法的最佳方法是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1450217/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the best way to implement a rate-limiting algorithm for web requests?
提问by Lamar
Possible/partial duplicates:
可能/部分重复:
- What's a good rate limiting algorithm?
- Throttling method calls to M requests in N seconds
- Best way to implement request throttling in ASP.NET MVC?
I am looking for the best way to implement a moving time window rate limiting algorithm for a web application to reduce spam or brute force attacks.
我正在寻找为 Web 应用程序实现移动时间窗口速率限制算法以减少垃圾邮件或蛮力攻击的最佳方法。
Examples of use would be "Maximum number of failed login attempts from a given IP in the last 5 minutes", "Maximum number of (posts/votes/etc...) in the last N minutes".
使用示例包括“过去 5 分钟内来自给定 IP 的最大登录尝试失败次数”、“过去 N 分钟内(帖子/投票/等...)的最大次数”。
I would prefer to use a moving time window algorithm, rather than a hard reset of statistics every X minutes (like twitter api).
我更喜欢使用移动时间窗口算法,而不是每 X 分钟硬重置统计数据(如 twitter api)。
This would be for a C#/ASP.Net app.
这将用于 C#/ASP.Net 应用程序。
采纳答案by Fragsworth
Use a fast memory-based hashtable like memcached. The keys will be the target you are limiting (e.g. an IP) and the expiration of each stored value should be the maximum limitation time.
使用像memcached这样的基于内存的快速哈希表。密钥将是您要限制的目标(例如 IP),并且每个存储值的到期时间应该是最大限制时间。
The values stored for each key will contain a serialized list of the last N attempts they made at performing the action, along with the time for each attempt.
为每个键存储的值将包含他们在执行操作时最后 N 次尝试的序列化列表,以及每次尝试的时间。
回答by ZZ Coder
We found out Token Bucketis better algorithm for this kind of rate-limiting. It's widely used in routers/switches so our operation folks are more familiar with the concept.
我们发现Token Bucket是这种限速的更好算法。它广泛用于路由器/交换机,因此我们的操作人员更熟悉这个概念。
回答by spender
You find this page to be an interesting read:
你会发现这个页面很有趣:
http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx
http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx
The section to look out for starts as follows:
要注意的部分如下所示:
Prevent Denial of Service (DOS) Attack
Web services are the most attractive target for hackers because even a pre-school hacker can bring down a server by repeatedly calling a Web service which does expensive work.
防止拒绝服务 (DOS) 攻击
Web 服务是黑客最有吸引力的目标,因为即使是学龄前的黑客也可以通过重复调用执行昂贵工作的 Web 服务来关闭服务器。
EDIT: Similar question here:
编辑:这里有类似的问题:
回答by NickG
Just to add a more 'modern' answer to this problem: For .NET WebAPI, WebApiThrottleis excellent and probably does everything you want out of the box.
只是为这个问题添加一个更“现代”的答案:对于 .NET WebAPI,WebApiThrottle非常出色,可能开箱即用。
It's also available on NuGet.
Implementation takes only a minute or so and it's highly customisable:
实施只需一分钟左右,并且高度可定制:
config.MessageHandlers.Add(new ThrottlingHandler()
{
Policy = new ThrottlePolicy(perSecond: 1, perMinute: 30, perHour: 500, perDay:2000)
{
IpThrottling = true,
ClientThrottling = true,
EndpointThrottling = true
},
Repository = new CacheRepository()
});
回答by JerryGoyal
I just added the answer to the question Block API requests for 5 mins if API rate limit exceeds.
I used HttpRuntime.Cacheto allow only 60 requests per minute. Exceeding the limit will block the API for next 5 minutes.
如果 API 速率限制超过,我刚刚添加了对Block API requests for 5 mins问题的答案。
我曾经HttpRuntime.Cache每分钟只允许 60 个请求。超过限制将在接下来的 5 分钟内阻止 API。
