主要目的
保护系统资源、保障用户体验和确保业务安全
存在的场景
- 爬虫
大量抓取数据,耗尽服务器资源
- 暴力破解
针对登录接口高频尝试密码
- CC攻击
应用层DDoS,耗尽业务资源
- 业务滥用
如秒杀场景下的机器抢单
应对的策略
请求合法性校验
服务端处理请求之前,验证该请求是否来自可信的客户端、是否完整未被篡改、是否在有效期内的一系列措施。 它是接口防刷的第一道防线,用于拦截伪造、重放、篡改的恶意请求
- API签名校验
// 客户端生成签名(伪代码)
String secret = "your-secret";
String data = "param1=value1¶m2=value2";
long timestamp = System.currentTimeMillis();
String nonce = UUID.randomUUID().toString();
String sign = HmacSHA256(data + timestamp + nonce, secret);
// 服务端校验拦截器
public boolean preHandle(HttpServletRequest request) {
String sign = request.getHeader("X-Sign");
long timestamp = Long.parseLong(request.getHeader("X-Timestamp"));
String nonce = request.getHeader("X-Nonce");
String body = getRequestBody(request);
// 1. 时间戳检查
if (Math.abs(System.currentTimeMillis() - timestamp) > 5 * 60 * 1000) {
return false; // 请求过期
}
// 2. Nonce检查(Redis)
String nonceKey = "nonce:" + nonce;
if (redisTemplate.hasKey(nonceKey)) {
return false; // 重复请求
}
redisTemplate.opsForValue().set(nonceKey, "1", 5, TimeUnit.MINUTES);
// 3. 重新计算签名
String serverSign = HmacSHA256(body + timestamp + nonce, getSecretByAppKey(appKey));
if (!serverSign.equals(sign)) {
return false; // 签名错误
}
return true;
}
- 身份认证(JWT校验示例)
@GetMapping("/user/info")
public Result getUserInfo(@RequestHeader("Authorization") String token) {
try {
// 解析JWT,验证签名和过期时间
Claims claims = Jwts.parser()
.setSigningKey(secretKey)
.parseClaimsJws(token.replace("Bearer ", ""))
.getBody();
String userId = claims.getSubject();
// 业务处理
} catch (Exception e) {
return Result.error(401, "无效token");
}
}
限流
- 基于redis demo
@Component
public class RateLimitInterceptor implements HandlerInterceptor {
@Autowired
private StringRedisTemplate redisTemplate;
// 加载Lua脚本
private DefaultRedisScript<Long> redisScript;
@PostConstruct
public void init() {
redisScript = new DefaultRedisScript<>();
redisScript.setScriptSource(new ResourceScriptSource(new ClassPathResource("ratelimit.lua")));
redisScript.setResultType(Long.class);
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String ip = getClientIp(request);
String key = "rate:ip:" + ip;
long max = 10; // 10次
long period = 60; // 60秒
Long result = redisTemplate.execute(redisScript, Arrays.asList(key), String.valueOf(max), String.valueOf(period));
if (result == null || result == 0) {
response.setStatus(429);
response.getWriter().write("Too Many Requests");
return false;
}
return true;
}
private String getClientIp(HttpServletRequest request) {
// 从x-forwarded-for等头获取真实IP
String ip = request.getHeader("X-Forwarded-For");
if (ip == null || ip.isEmpty()) ip = request.getRemoteAddr();
return ip;
}
}
验证码机制
验证码(CAPTCHA)是“区分计算机和人类的公开全自动图灵测试”的缩写
防止恶意程序自动提交表单(如注册、登录、评论)
阻止暴力破解密码、刷票、爬虫等自动化攻击
在触发限流策略后,作为二次验证手段,确认操作由真实用户发起
配置Kaptcha(生成图形验证码)
@Configuration
public class KaptchaConfig {
@Bean
public Producer kaptchaProducer() {
Properties properties = new Properties();
properties.setProperty("kaptcha.image.width", "150");
properties.setProperty("kaptcha.image.height", "50");
properties.setProperty("kaptcha.textproducer.char.string", "0123456789ABCDEFGHJKLMNPQRSTUVWXYZ");
properties.setProperty("kaptcha.textproducer.char.length", "4");
properties.setProperty("kaptcha.noise.impl", "com.google.code.kaptcha.impl.NoNoise");
properties.setProperty("kaptcha.obscurificator.impl", "com.google.code.kaptcha.impl.WaterRipple");
properties.setProperty("kaptcha.background.clear.from", "255,255,255");
properties.setProperty("kaptcha.background.clear.to", "255,255,255");
DefaultKaptcha kaptcha = new DefaultKaptcha();
kaptcha.setConfig(new Config(properties));
return kaptcha;
}
}
- 生成验证码接口(Controller)
@RestController
public class CaptchaController {
@Autowired
private Producer captchaProducer;
@Autowired
private RedisTemplate<String, String> redisTemplate;
@GetMapping("/captcha")
public void getCaptcha(HttpServletRequest request, HttpServletResponse response) throws IOException {
// 生成验证码文本
String captchaText = captchaProducer.createText();
// 生成验证码图片
BufferedImage image = captchaProducer.createImage(captchaText);
// 存储到Redis(使用唯一标识,如UUID或手机号)
String captchaKey = UUID.randomUUID().toString();
redisTemplate.opsForValue().set("captcha:" + captchaKey, captchaText, 5, TimeUnit.MINUTES);
// 将key返回给前端(可通过响应头或JSON)
response.setHeader("Captcha-Key", captchaKey);
// 输出图片
response.setContentType("image/jpeg");
ServletOutputStream out = response.getOutputStream();
ImageIO.write(image, "jpg", out);
out.close();
}
}
黑/白名单
在接口防刷体系中,黑/白名单是一种基于来源(IP、用户ID、设备指纹等)的快速过滤机制
- 名单格式
IP黑/白名单:支持单个IP、IP段(CIDR,如192.168.1.0/24)、通配符(如192.168..)
用户ID黑/白名单:针对已登录用户的UID进行控制
设备指纹:针对移动端设备ID(如IMEI、IDFA)进行封禁
@Component
public class BlackWhiteListInterceptor implements HandlerInterceptor {
@Autowired
private RedisTemplate<String, String> redisTemplate;
// IP工具:判断IP是否在某个CIDR网段内
private boolean ipMatchesCidr(String ip, String cidr) {
try {
SubnetUtils subnet = new SubnetUtils(cidr);
return subnet.getInfo().isInRange(ip);
} catch (Exception e) {
return false; // 格式错误视为不匹配
}
}
// 检查是否在白名单中
private boolean isInWhitelist(String ip) {
Set<String> whitelist = redisTemplate.opsForSet().members("whitelist:ip");
if (whitelist == null || whitelist.isEmpty()) return false;
for (String pattern : whitelist) {
if (pattern.contains("/")) { // CIDR网段
if (ipMatchesCidr(ip, pattern)) return true;
} else if (pattern.contains("*")) { // 通配符简单处理(如192.168.*.*)
// 可将通配符转换为正则,此处简化
String regex = pattern.replace(".", "\\.").replace("*", "\\d+");
if (ip.matches(regex)) return true;
} else { // 精确IP
if (pattern.equals(ip)) return true;
}
}
return false;
}
// 检查是否在黑名单中
private boolean isInBlacklist(String ip) {
// 直接判断Set中是否存在该IP(精确匹配),但IP段需要遍历判断
Set<String> blacklist = redisTemplate.opsForSet().members("blacklist:ip");
if (blacklist == null || blacklist.isEmpty()) return false;
for (String pattern : blacklist) {
if (pattern.contains("/")) {
if (ipMatchesCidr(ip, pattern)) return true;
} else if (pattern.contains("*")) {
String regex = pattern.replace(".", "\\.").replace("*", "\\d+");
if (ip.matches(regex)) return true;
} else {
if (pattern.equals(ip)) return true;
}
}
return false;
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String ip = getClientIp(request);
// 1. 白名单检查:如果命中,直接放行
if (isInWhitelist(ip)) {
return true;
}
// 2. 黑名单检查:如果命中,拒绝请求
if (isInBlacklist(ip)) {
response.setStatus(403);
response.getWriter().write("Your IP is blocked due to abnormal behavior.");
return false;
}
// 3. 继续后续拦截器(如限流)
return true;
}
private String getClientIp(HttpServletRequest request) {
String ip = request.getHeader("X-Forwarded-For");
if (ip == null || ip.isEmpty()) ip = request.getRemoteAddr();
// 处理多级代理,取第一个非unknown的IP
if (ip != null && ip.contains(",")) {
ip = ip.split(",")[0].trim();
}
return ip;
}
}
总结
接口防刷是一个系统工程,需结合多种手段层层设防
- 基础防御:签名、限流、黑白名单
- 动态防御:验证码、行为分析
- 兜底防御:异步队列、熔断降级