如何停止在网页API黑客/ DOS攻击 [英] How to stop hack/DOS attack on web API

问题描述

我的网站已经经历了一个拒绝服务攻击/黑客攻击的最后一个星期。这种攻击是打我们的网络API在循环随机生成无效的API密钥。

My website has been experiencing a denial of service/hack attack for the last week. The attack is hitting our web API with randomly generated invalid API keys in a loop.

我不知道，如果他们试图猜测一个键（如64位密钥数学上是不可能），或者试图DOS攻击的服务器。攻击是分布式的，所以我不能禁止所有的IP地址，因为它发生的数百家客户。

I'm not sure if they are trying to guess a key (mathematically impossible as 64bit keys) or trying to DOS attack the server. The attack is distributed, so I cannot ban all of the IP address, as it occurs from hundreds of clients.

我的猜测是，它是由IP地址的Andr​​oid应用程序，所以有人在一个Android应用程序的一些恶意软件，并使用所有的安装来攻击我的服务器。

My guess is that it is an Android app by the IPs, so someone has some malware in an Android app, and use all the installs to attack my server.

服务器是由Tomcat / Java的，目前的网络API只是响应400无效键，并且取得了一些无效键尝试，但仍缓存的IP需要做一些处理，每一个错误的请求。

Server is Tomcat/Java, currently the web API just responds 400 to invalid keys, and caches IPs that have made several invalid key attempts, but still needs to do some processing for each bad request.

任何建议如何停止攻击？有没有什么办法来识别Android应用程序使HTTP头的请求？

Any suggestions how to stop the attack? Is there any way to identify the Android app making the request from the HTTP header?

推荐答案

preventing蛮力攻击：

目前的工具和策略可以帮助你做到这一点繁多，并且使用完全取决于你的服务器的实现和要求。

There is a vast array of tools and strategies available to help you do this, and which to use depends entirely on your server implementation and requirements.

如果不使用防火墙，入侵检测系统，或其它网络控制工具，你不能真正阻止，还有一个DDOS，拒绝服务，您的应用程序。你可以，但是，修改应用程序，使蛮力攻击显著更加困难。

Without using a firewall, IDS, or other network-control tools, you can't really stop a DDOS from, well, denying service to your application. You can, however, modify your application to make a brute-force attack significantly more difficult.

标准的方式来做到这一点是通过实施锁定或渐进延迟。一个锁定prevents作出了X分钟登录请求，如果他们无法登录N次的IP。渐进延迟增加了一个更长，更长的延迟来处理每个错误的登录请求。

The standard way to do this is by implementing a lockout or a progressive delay. A lockout prevents an IP from making a login request for X minutes if they fail to log in N times. A progressive delay adds a longer and longer delay to processing each bad login request.

如果您正在使用Tomcat的认证系统（即你有一个＆LT;登录约束＆gt;在你的web应用程序的配置元素），你应该使用<一个href="https://tomcat.apache.org/tomcat-6.0-doc/config/realm.html#LockOut_Realm_-_org.apache.catalina.realm.LockOutRealm"相对=nofollow> Tomcat的LockoutRealm ，它可以让你轻松地把IP地址上的锁定，一旦他们做了一些不好的请求。

If you're using Tomcat's authentication system (i.e. you have a <login-constraint> element in your webapp configuration), you should use the Tomcat LockoutRealm, which lets you easily put IP addresses on a lockout once they make a number of bad requests.

如果你不使用Tomcat的认证系统，那么你就必须张贴关于您使用得到什么更具体的信息的详细信息。

If you are not using Tomcat's authentication system, then you would have to post more information about what you are using to get more specific information.

最后，你可以简单地增加你的API密钥的长度。 64位似乎是一个insurmountably巨大的密钥空间进行搜索，但它的体重按现代标准。有一些因素可能有助于使它比预期少得多的安全：

Finally, you could simply increase the length of your API keys. 64 bits seems like an insurmountably huge keyspace to search, but its underweight by modern standards. A number of factors could contribute to making it far less secure than you expect:

• 在僵尸网络（或其他大型网络）可以让每秒尝试数万，如果你没有保护的地方。
• 根据你如何生成你的钥匙和收集熵， 您的实际上的密钥空间可能会小很多。
• 当你的一些有效键的增加，需要密钥的数量 要试图找到一个有效的（至少在理论上）下降 急剧下降。

• A botnet (or other large network) could make tens of thousands of attempts per second, if you have no protections in place.
• Depending on how you're generating your keys and gathering entropy, your de facto keyspace might be much smaller.
• As your number of valid keys increases, the number of keys that need to be attempted to find a valid one (at least in theory) drops sharply.

加大了API密钥长度为128（或256，或512），花费不多，你会极大地增加了搜索空间（因此，难度）的任何暴力攻击。

Upping the API key length to 128 (or 256, or 512) won't cost much, and you'll tremendously increase the search space (and thus, the difficulty) of any brute force attack.

缓解DDOS攻击：

要减轻DDOS攻击，但是，你需要做的多一点跑腿。 DDOS攻击的硬盘，以防范的，其特别困难，如果你不控制你的网络服务器上。

To mitigate DDOS attacks, however, you need to do a bit more legwork. DDOS attacks are hard to defend against, and its especially hard if you don't control the network your server is on.

话虽这么说，有一些服务器端的事情可以做：

That being said, there are a few server-side things you can do:

• 在安装和配置一个web应用防火墙，如 mod_security的，拒绝违反传入的连接您定义的规则。
• 在建立一个IDS系统，如 Snort的，当DDOS攻击正在发生检测并采取先措施减轻它
• 查看 @马丁·穆勒的帖子另一个很好的选择，的的fail2ban
• 创建你自己的Tomcat 阀，所描述的此处，通过他们的用户代理（或其他任何标准）作为防御的最后一道防线。

• Installing and configuring a web-application firewall, like mod_security, to reject incoming connections that violate rules that you define.
• Setting up an IDS system, like Snort, to detect when a DDOS attack is occurring and take the first steps to mitigate it
• See @Martin Muller's post for another excellent option, fail2ban
• Creating your own Tomcat Valve, as described here, to reject incoming requests by their User-Agents (or any other criterion) as a last line of defense.

在最后，然而，只有这么多，你可以做些什么来阻止DDOS攻击是免费的。服务器只有这么多的内存，如此多的CPU周期，和这么多的网络带宽;有足够的入站连接，即使是最有效的防火墙不会让你下去。您将能够更好地抵御DDOS攻击，如果你投资于一个更高带宽的网络连接和更多的服务器，或者如果你部署应用程序上的亚马逊网络服务，或者如果你买了许多消费者和企业DDoS攻击防护产品之一（的 @SDude有一些优秀的建议，在他的文章）。没有这些选项都便宜，快速，否则容易，但他们什么是可​​用的。

In the end, however, there is only so much you can do to stop a DDOS attack for free. A server has only so much memory, so many CPU cycles, and so much network bandwidth; with enough incoming connections, even the most efficient firewall won't keep you from going down. You'll be better able to weather DDOS attacks if you invest in a higher-bandwidth internet connection and more servers, or if you deploy your application on Amazon Web Services, or if you bought one of many consumer and enterprise DDOS mitigation products (@SDude has some excellent recommendations in his post). None of those options are cheap, quick, or easy, but they're what's available.

底线：如果您不得不依赖于你的应用程序code，以减轻DDOS，你是不是

这篇关于如何停止在网页API黑客/ DOS攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！