Now mobile phones have become the people essential thing, the phone number has almost become our identity ID, the current major sites on the Internet, APP and other registered almost always done by registered phone number verification message, send SMS verification code in general we are third-party interface calls, of course, for a fee. Generally when we call third-party SMS interfaces, if the defense did not do a good job, is likely to become the point of hacking, you might be able to put a few text messages to run out in a few minutes, so do SMS verification code defense is very important, let's share a few ways, and I was in conjunction with other users of the method because of his own practice to be improved and added, hoping to help people in need.
(1) a single phone number to limit the number of transmissions
Each metaphor phone number a day, allowing only receive five, etc., generally do not need to own this set in the program, because the general messaging interfaces can set up business there, just talk about with the customer service can be achieved. Of course, general hacking is actually spent thousands of phone numbers, repeat a few phone numbers to attack.
(2) limit the transmission time interval
60 sec after the analogy or 120 seconds retransmission, note that here, this limitation do both sides, only the front end of the button html disposed failure, but also need to verify that the rear end of the time limit interval, only a small distal only anti White.
(3) In fact, the increase verification field
Before sending phone code, let the user such as user name, email, password and other fields completed and verified the feasibility of, and then allows users to send phone verification code.
(4) increase the CAPTCHA
Captcha code needs to be saved in the Session inside, and uses graphics to be done immediately to make this a CAPTCHA verification code after the failure to prevent the hacker has been using a graphical verification code.
(5) the same IP limit transmission number
Here developers need to be able to get to the real IP address of the client, in an article on my blog " JS and C # .NET to obtain client IP " To have a method when it comes to obtaining the client's IP. This limitation can only produce a certain limit, a limited role, because hackers are often switched IP's
(6) The user sends a verification code determines whether the entry is your page registration page
This is important, when hacker attacks are a direct call to the middle of the page to send your verification, you may skip the registration page entry, he will follow your way to a good fight to be transferred directly to invoke a method parameter field , at this time I just came backstage determine what the user entry is the address of the registration page on the line. Forcing the hacker intrusion through the entrance registration page, but this is obviously increased the cost of the attack.
In general, we just need to do (2) (4) (6) points on it more than the first.
To sum up, the so-called "one foot in mind that" it is difficult to completely locked hackers attack, we can only think of ways to increase the cost of a hacker attack, forcing them to give up the attack.
That is all I want to share content, there is a better way to welcome everyone to add comments.