API interface to access frequency limit / malicious website crawler limit / restrict access to malicious websites scheme

API interface to access frequency limit / malicious website crawler limit / restrict access to malicious websites scheme

Multi-level interception, interception rear systematic way to solve

1 interception stratified

The first 1.1 storey commercial web application firewall (WAF)

Directly with business services

Traditional F5 hardware, but now with a little cloud era by era of cloud products, typical of Ali cloud web application firewall

1.2 a second layer API gateway (Gateway API) layer

网关 API (API Gateway)

kong, represented by the open source API gateway implementations openresty + lua from windows platform to achieve security dog, cloud lock to achieve

The third layer is the application layer 1.3

Built-lua scripts Redis

redis is brick, where where they need to move redis built lua engine, the 2.6 version you can write a lua script, complete logic judgment process

Common methods have token bucket counter dimension of a dimension of a dimension of the method is the concept of IP or IP + such modules, combined into a plurality of dimension fields

Limiting the program to meet the needs of most applications layer, of course, you can own program implements the application layer, provided that redis + lua can not meet your needs

2 Rear interception

The basic routine is actually very simple, is calculated from the log where malicious IP, malicious users, give the other sub-control systems with the basic idea is this

ELK logging system already in use: ES may be a high frequency timing query IP, WAF made into already intercepted stream computing system: Flink flow and spark other computing system calculates the frequency malicious IP, User, etc.

You can then be applied to calculate the result data do these restrictions, like ban

3 I + II + III + post work

The first layer Waf of course interception, but for the new IP he will not immediately take effect, there will be a few minutes before interception especially malicious reptile IP pool on a large number of new IP to come, will put up the first layer, If only one layer, the result is a database query slow alarm Ding Dingding

Layer by layer on the second floor with three interception third layer if there is no effort to engage the second floor, then buy the first layer, the second layer do not do, do

The results of the post-interception as the concept of a long-term ban the use of such multiple interception strategy and multi-level cache is not like multi-level interceptors to protect the source station monitoring alarms quiet

C-terminal-oriented products are reptiles, the probability of malicious web access will be much larger for the B-side is not without risk for the B-side API also limited demand streams