如何使用Web API限制DOS攻击 [英] How to restrict DOS attack with Web API

问题描述

我正计划使用MVC4和Web APi开发一个Internet站点.它是一个简单的应用程序，它将基于搜索显示客户信息.

I am planning to develop a internet site using MVC4 and Web APi. Its a simple application which will display a customer information based on search.

对于搜索功能，我正在使用Ajax get方法调用webApi(我知道我应该在使用Post，但是认为这是当前的实现).

For Search functionality I am calling webApi using Ajax get method (I know i should be using Post, but consider this is the current implementation).

我的Api电话是 "/api/Data/getSearchResults/?companyName='" + companyName

My Api call is "/api/Data/getSearchResults/?companyName='" + companyName

我觉得这条线可以用作DOS攻击来关闭我的服务器.我可以使用Microsoft Anti-XSS库或ValidateAntiForgeryToken属性或任何其他机制来确保请求是由真实用户而不是由任何自动启动程序生成的.

I feel this piece of line can be used as a DOS attack to bring down my server. Is there way i can use Microsoft Anti-XSS libraries or the ValidateAntiForgeryToken attributes or any other mechanism to ensure that the request are generated from by authentic users and not by any autoBots.

我的网站启用了匿名访问.

My site has anonymous access enabled.

推荐答案

有一个名为 WebApiThrottle 的库定义了ThrottlingHandler，您可以根据呼叫方的IP或其他属性，以编程方式限制每秒/分钟/小时的请求数量.

There's a library called WebApiThrottle that defines a ThrottlingHandler you can use to programmatically limit the number of requests per second/minute/hour... based on the IP or other attributes of the caller.

另一种选择是在IIS级别上进行操作，当然您可以同时使用两者来更好地进行控制.

Another option is to act at the IIS level, and of course you can use both to have a better control.

这篇关于如何使用Web API限制DOS攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！