1.基本原理
DDos攻击原理就是短时间发动大量正常的网站访问占用服务器资源,造成服务器卡顿,或失去连接。通过将异常访问服务器的IP禁止访问,或延时访问可以一定程度的减轻DDos攻击强度。
2.springboot程序实现
2.1 先编写一个过滤器
/**
* @author SongBin on 2021-11-08.
*/
package com.mtons.mblog.web.filter;
import com.mtons.mblog.base.utils.IPUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
/**
* 自定义过滤器,用来判断IP访问次数是否超限
* 如果前台用户访问网站的频率过快(达到超过50次/秒),则判定该ip恶意刷新操作,
* 限制该IP的访问,1小时后自己解除限制
*
* @author wukaikai
*
*/
@WebFilter(urlPatterns="/*")
public class IpFilter implements Filter{
protected final Logger logger = LoggerFactory.getLogger(this.getClass());
/**
* 默认限制时间-被限制多长时间(单位:ms)
*/
private static final long LIMITED_TIME_MILLIS = 60 * 60 * 1000; //限制1小时
/**
* 用户连续访问最高阀值,超过该值则认定为恶意操作的IP,进行限制
*/
private static final int LIMIT_NUMBER = 50;
/**
* 用户访问最小安全时间,在该时间内如果访问次数大于阀值,则记录为恶意IP,否则视为正常访问
*/
private static final int MIN_SAFE_TIME = 5000;//判定5s内访问超过50次,为恶意访问
private FilterConfig config;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.config = filterConfig; //设置属性filterConfig
}
/* (non-Javadoc)
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@SuppressWarnings("unchecked")
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
ServletContext context = config.getServletContext();
// 获取限制IP存储器:存储被限制的IP信息
Map<String, Long> limitedIpMap = (Map<String, Long>) context.getAttribute("limitedIpMap");
// 过滤受限的IP
filterLimitedIpMap(limitedIpMap);
// 获取用户IP
String ip = IPUtils.getRemoteIpAddr(request);
logger.debug("ip:"+ip);
// 判断是否是被限制的IP,如果是则跳到异常页面
if (isLimitedIP(limitedIpMap, ip)) {
long limitedTime = limitedIpMap.get(ip) - System.currentTimeMillis();
// 剩余限制时间(用为从毫秒到秒转化的一定会存在些许误差,但基本可以忽略不计)
request.setAttribute("remainingTime", ((limitedTime / 1000) + (limitedTime % 1000 > 0 ? 1 : 0)));
//request.getRequestDispatcher("/error/overLimitIP").forward(request, response);
logger.error("ip访问过于频繁1:"+ip);
response.setContentType("text/html;charset=UTF-8");
request.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8"); //设置输出内容编码格式
PrintWriter out = response.getWriter();
out.println("<b>由于您访问过于频繁,被系统自动认定为机器人。1个小时自动解除</b>");
return;
}
// 获取IP存储器
Map<String, Long[]> ipMap = (Map<String, Long[]>) context.getAttribute("ipMap");
// 判断存储器中是否存在当前IP,如果没有则为初次访问,初始化该ip
// 如果存在当前ip,则验证当前ip的访问次数
// 如果大于限制阀值,判断达到阀值的时间,如果不大于[用户访问最小安全时间]则视为恶意访问,跳转到异常页面
if (ipMap.containsKey(ip)) {
Long[] ipInfo = ipMap.get(ip);
ipInfo[0] = ipInfo[0] + 1;
logger.debug("当前第[" + (ipInfo[0]) + "]次访问");
if (ipInfo[0] > LIMIT_NUMBER) {
Long ipAccessTime = ipInfo[1];
Long currentTimeMillis = System.currentTimeMillis();
if (currentTimeMillis - ipAccessTime <= MIN_SAFE_TIME) {
limitedIpMap.put(ip, currentTimeMillis + LIMITED_TIME_MILLIS);
request.setAttribute("remainingTime", LIMITED_TIME_MILLIS);
logger.error("ip访问过于频繁2:"+ip);
request.getRequestDispatcher("/error/overLimitIP").forward(request, response);
return;
} else {
initIpVisitsNumber(ipMap, ip);
}
}
} else {
initIpVisitsNumber(ipMap, ip);
logger.debug("您首次访问该网站");
}
context.setAttribute("ipMap", ipMap);
chain.doFilter(request, response);
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
/**
* @Description 过滤受限的IP,剔除已经到期的限制IP
* @param limitedIpMap
*/
private void filterLimitedIpMap(Map<String, Long> limitedIpMap) {
if (limitedIpMap == null) {
return;
}
Set<String> keys = limitedIpMap.keySet();
Iterator<String> keyIt = keys.iterator();
long currentTimeMillis = System.currentTimeMillis();
while (keyIt.hasNext()) {
long expireTimeMillis = limitedIpMap.get(keyIt.next());
if (expireTimeMillis <= currentTimeMillis) {
keyIt.remove();
}
}
}
/**
* @Description 是否是被限制的IP
* @param limitedIpMap
* @param ip
* @return true : 被限制 | false : 正常
*/
private boolean isLimitedIP(Map<String, Long> limitedIpMap, String ip) {
if (limitedIpMap == null || ip == null) {
// 没有被限制
return false;
}
Set<String> keys = limitedIpMap.keySet();
Iterator<String> keyIt = keys.iterator();
while (keyIt.hasNext()) {
String key = keyIt.next();
if (key.equals(ip)) {
// 被限制的IP
return true;
}
}
return false;
}
/**
* 初始化用户访问次数和访问时间
*
* @param ipMap
* @param ip
*/
private void initIpVisitsNumber(Map<String, Long[]> ipMap, String ip) {
Long[] ipInfo = new Long[2];
ipInfo[0] = 0L;// 访问次数
ipInfo[1] = System.currentTimeMillis();// 初次访问时间
ipMap.put(ip, ipInfo);
}
}不懂得看日志,基本能够看懂,看不懂就放弃吧!
2.2 IP获取工具类
package com.mtons.mblog.base.utils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest;
import java.net.InetAddress;
import java.net.UnknownHostException;
public class IPUtils {
public static String getRemoteHost() {
ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
if (servletRequestAttributes == null) {
return "127.0.0.1";
}
HttpServletRequest request = servletRequestAttributes.getRequest();
String ip = request.getHeader("x-forwarded-for");
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("x-real-ip");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("Proxy-Client-IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("WL-Proxy-Client-IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("HTTP_CLIENT_IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("HTTP_X_FORWARDED_FOR");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getRemoteAddr();
}
if ("0:0:0:0:0:0:0:1".equals(ip)) {
ip = "127.0.0.1";
}
return ip;
}
public static String getRemoteIpAddr(HttpServletRequest request) {
String ip = request.getHeader("x-forwarded-for");
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("Proxy-Client-IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("WL-Proxy-Client-IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("HTTP_CLIENT_IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("HTTP_X_FORWARDED_FOR");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getRemoteAddr();
if("127.0.0.1".equals(ip)||"0:0:0:0:0:0:0:1".equals(ip)){
//根据网卡取本机配置的IP
InetAddress inet=null;
try {
inet = InetAddress.getLocalHost();
} catch (UnknownHostException e) {
e.printStackTrace();
}
ip= inet.getHostAddress();
}
}
return ip;
}
/**
* 判断IP是否在指定范围
*
* @param ipStart
* @param ipEnd
* @param ip
* @return
*/
public static boolean ipIsValid(String ipStart, String ipEnd, String ip) {
if (StringUtils.isEmpty(ipStart)) {
throw new NullPointerException("起始IP不能为空!");
}
if (StringUtils.isEmpty(ipEnd)) {
throw new NullPointerException("结束IP不能为空!");
}
if (StringUtils.isEmpty(ip)) {
throw new NullPointerException("IP不能为空!");
}
ipStart = ipStart.trim();
ipEnd = ipEnd.trim();
ip = ip.trim();
final String REGX_IP = "((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]\\d|\\d)";
final String REGX_IPB = REGX_IP + "\\-" + REGX_IP;
if (!ipStart.matches(REGX_IP) || !ip.matches(REGX_IP) || !ipEnd.matches(REGX_IP)) {
return false;
}
String[] sips = ipStart.split("\\.");
String[] sipe = ipEnd.split("\\.");
String[] sipt = ip.split("\\.");
long ips = 0L, ipe = 0L, ipt = 0L;
for (int i = 0; i < 4; ++i) {
ips = ips << 8 | Integer.parseInt(sips[i]);
ipe = ipe << 8 | Integer.parseInt(sipe[i]);
ipt = ipt << 8 | Integer.parseInt(sipt[i]);
}
if (ips > ipe) {
long t = ips;
ips = ipe;
ipe = t;
}
return ips <= ipt && ipt <= ipe;
}
}
2.3 创建一个监听器:需要初始化俩个容器:
/**
* @author SongBin on 2021-11-08.
*/
package com.mtons.mblog.web.listener;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.annotation.WebListener;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@WebListener
public class MyApplicationListener implements ServletContextListener {
private Logger logger = LoggerFactory.getLogger(MyApplicationListener.class);
@Override
public void contextInitialized(ServletContextEvent sce) {
logger.info("liting: contextInitialized");
System.err.println("MyApplicationListener初始化成功");
ServletContext context = sce.getServletContext();
// IP存储器
Map<String, Long[]> ipMap = new HashMap<String, Long[]>();
context.setAttribute("ipMap", ipMap);
// 限制IP存储器:存储被限制的IP信息
Map<String, Long> limitedIpMap = new HashMap<String, Long>();
context.setAttribute("limitedIpMap", limitedIpMap);
logger.info("ipmap:"+ipMap.toString()+";limitedIpMap:"+limitedIpMap.toString()+"初始化成功。。。。。");
}
@Override
public void contextDestroyed(ServletContextEvent sce) {
// TODO Auto-generated method stub
}
}
注意:需要在springboot启动类里面添加以上监听器和过滤器的扫描包路径:
@ServletComponentScan(basePackages="com.mtons.mblog.web")
注意:本文归作者所有,未经作者允许,不得转载
