CN113438310A - IP current limiting method, device, system, computer equipment and storage medium - Google Patents

IP current limiting method, device, system, computer equipment and storage medium Download PDF

Info

Publication number
CN113438310A
CN113438310A CN202110703070.3A CN202110703070A CN113438310A CN 113438310 A CN113438310 A CN 113438310A CN 202110703070 A CN202110703070 A CN 202110703070A CN 113438310 A CN113438310 A CN 113438310A
Authority
CN
China
Prior art keywords
access
address
data set
newly added
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110703070.3A
Other languages
Chinese (zh)
Inventor
卓根生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202110703070.3A priority Critical patent/CN113438310A/en
Publication of CN113438310A publication Critical patent/CN113438310A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/20Traffic policing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an IP current limiting method, a device, a system, computer equipment and a storage medium, wherein the method comprises the following steps: when an access request for accessing the database is received, an access IP address is obtained from the access request, and an access record of the access IP address is recorded to a newly added access data set, wherein the newly added access data set is synchronized to the database at a first preset frequency; judging whether an IP data set has an access IP address or not, wherein the IP data set comprises the IP address, the access times corresponding to the IP address and the expiration time, and the IP data set stored in each server is synchronously obtained from a database at a second preset frequency; and if so, stopping the access request when the access times and the expiration time for accessing the IP address do not meet the preset conditions. By the mode, the method and the device can be suitable for a distributed service system with low access amount, IP current limiting can be realized without a third-party tool, and meanwhile, the maintenance cost is reduced.

Description

IP current limiting method, device, system, computer equipment and storage medium
Technical Field
The present application relates to the field of network access technologies, and in particular, to an IP current limiting method, apparatus, system, computer device, and storage medium.
Background
With the increasing penetration of the mobile internet, more and more companies and enterprises are gradually starting to face the internet and migrating customer-facing services and businesses to the online. When these online services are developed, as the number of clients increases, the architecture of the service platform also changes and evolves. From the early single application architecture to the micro-service architecture, clustering and distribution become standard technology.
For a distributed system open to the internet, malicious attacks of types like batch attacks are often easily suffered, an attacker writes malicious scripts, accesses websites in large batch continuously, occupies a database connection pool, and further causes that normal users cannot access or access the websites abnormally slowly. Currently, the mainstream practice in the industry is to implement an IP current limiting function by using a third party tool, for example, the IP current limiting function is implemented by combining with Redis, but this is generally more suitable for a large-scale distributed system with a large access amount, for a small-scale and medium-scale distributed system with a low access amount, technically, increasing the Redis makes the system architecture more complex, and then migration and expansion each time need to consider the problem of the Redis, resulting in a large increase in workload.
Disclosure of Invention
The application provides an IP current limiting method, an IP current limiting device, a distributed system, computer equipment and a storage medium, and aims to solve the technical problems that when the existing IP current limiting method is applied to a distributed system with low access, the system architecture is more complex and maintenance is not facilitated.
In order to solve the technical problem, the application adopts a technical scheme that: an IP current limiting method is provided, which is applied to each server of a distributed system, wherein the distributed system comprises a plurality of servers and a database; the method comprises the following steps: when an access request for accessing the database is received, an access IP address is obtained from the access request, and an access record of the access IP address is recorded to a newly added access data set, wherein the newly added access data set is synchronized to the database at a first preset frequency; judging whether an IP data set has an access IP address or not, wherein the IP data set comprises the IP address, the access times corresponding to the IP address and the expiration time, and the IP data set stored in each server is synchronously obtained from a database at a second preset frequency; and if so, stopping the access request when the access times and the expiration time for accessing the IP address do not meet the preset conditions.
As a further improvement of the present application, when the number of accesses to the IP address and the expiration time do not satisfy the preset conditions, blocking the access request includes: acquiring first current time, and acquiring access times and expiration time for accessing the IP address from the IP data set; judging whether the access times exceed the preset times and whether the first current time is in an expiration time range; and if the access times exceed the preset times and the first current time is within the expiration time range, the access request is blocked.
As a further improvement of the present application, recording an access record of an access IP address to a new access data set includes: judging whether an access IP address exists in the newly added access data set or not; if the new access data set does not exist, the access IP address is stored in the new access data set, and the new access frequency of the access IP address is set to be 1; and if so, controlling the number of newly added accesses for accessing the IP address to be increased by 1.
As a further improvement of the present application, the step of synchronizing the newly added access data set to the database includes: acquiring a second current time and acquiring a latest IP data set from a database; judging whether each IP address in the newly added access data set exists in the latest IP data set; if so, updating the access times and the expiration time of the corresponding IP address in the latest IP data set according to the newly increased access times and the second current time of the IP address in the newly increased access data set; if not, adding the IP address in the newly-added access data set and the newly-added access times corresponding to the IP address into the latest IP data set, and setting expiration time for the IP address in the latest IP data set according to second current time; and synchronizing the updated latest IP data set to the database for storage.
As a further improvement of the present application, updating the access times and expiration times of the corresponding IP addresses in the latest IP data set according to the newly added access times and the second current time of the IP addresses in the newly added access data set includes: acquiring the expiration time corresponding to the IP address in the latest IP data set; judging whether the second current time is within the expiration time range of the IP address; if so, accumulating the newly added access times of the IP addresses recorded in the newly added access data set to the access times of the corresponding IP addresses in the latest IP data set; if not, replacing the access times of the corresponding IP address in the latest IP data set by the newly increased access times of the IP address recorded in the newly increased access data set, and resetting the expiration time of the IP address in the latest IP data set according to the second current time.
As a further improvement of the present application, after the adding of the newly added access times of the IP addresses recorded in the newly added access data set to the access times of the corresponding IP addresses in the latest IP data set, the method further includes: and when the access times accumulated by the corresponding IP addresses in the latest IP data set exceed the preset times, setting a forbidden access time limit for the IP addresses.
In order to solve the above technical problem, another technical solution adopted by the present application is: provided is an IP current limiting apparatus including: the receiving module is used for acquiring an access IP address from the access request when the access request for accessing the database is received, recording an access record of the access IP address to a newly added access data set, and synchronizing the newly added access data set to the database at a first preset frequency; the judging module is used for judging whether an IP data set has an access IP address or not, the IP data set comprises the IP address, the access times corresponding to the IP address and the expiration time, and the IP data set stored in each server is synchronously obtained from the database at a second preset frequency; and the blocking module is used for blocking the access request when the access IP address exists in the IP data set and when the access times and the expiration time of the access IP address do not meet the preset conditions.
In order to solve the above technical problem, the present application adopts another technical solution that: the distributed system comprises a plurality of servers and a database, wherein the servers are used for acquiring access IP addresses from access requests when the access requests for accessing the database are received, recording access records of the access IP addresses to a newly added access data set, and synchronizing the newly added access data set to the database at a first preset frequency; judging whether an IP data set has an access IP address or not, wherein the IP data set comprises the IP address, the access times corresponding to the IP address and the expiration time, and the IP data set stored in each server is synchronously obtained from a database at a second preset frequency; if the IP address exists, the access request is prevented when the access times and the expiration time for accessing the IP address do not meet the preset conditions; and the database is used for storing the IP data set.
In order to solve the above technical problem, the present application adopts another technical solution that: there is provided a computer device comprising a processor, a memory coupled to the processor, the memory having stored therein program instructions which, when executed by the processor, cause the processor to perform the steps of any of the IP current limiting methods described above.
In order to solve the above technical problem, the present application adopts another technical solution that: there is provided a storage medium storing program instructions capable of implementing the IP throttling method as defined in any one of the above.
In order to solve the above technical problem, another technical solution adopted by the present application is: provided is an IP current limiting apparatus including: and IP current limiting.
In order to solve the above technical problem, the present application adopts another technical solution that: providing a computer device comprising a processor, a memory coupled to the processor, wherein the memory stores program instructions for implementing the IP throttling method; the processor is configured to execute the program instructions stored in the memory to limit IP flows.
In order to solve the above technical problem, the present application adopts another technical solution that: there is provided a storage medium storing program instructions capable of implementing the above IP throttling method.
The beneficial effect of this application is: the IP current limiting method of the invention is deployed on each server in a distributed system, when the server receives an access request for accessing a database, an access IP address is obtained and an access record of the access IP address is recorded to a newly added access data set, then the access IP address is matched with the IP address in a local IP data set, if the access IP address exists in the IP data set, whether the access IP address is allowed to access the database is determined according to the accumulated access times and the expiration time of the access IP address, wherein the newly added access data set can be regularly synchronized to the database, and the local IP data set is synchronously obtained from the database at a certain interval, so that the access records recorded in the server can be synchronized to the database in the distributed system, and the server can also synchronously obtain the access records of other servers from the database, and then the current limiting information of each server in the distributed system can be synchronized, and meanwhile, a current limiting function is realized without depending on a third-party tool, so that the whole distributed system is simplified in architecture, and the workload during later maintenance is reduced.
Drawings
FIG. 1 is a schematic structural diagram of a distributed system of an embodiment of the present invention;
FIG. 2 is a flow chart of an IP throttling method according to an embodiment of the present invention;
fig. 3 is a functional block diagram of an IP current limiting apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a computer device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a storage medium according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first", "second" and "third" in this application are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any indication of the number of technical features indicated. Thus, a feature defined as "first," "second," or "third" may explicitly or implicitly include at least one of the feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless explicitly specifically limited otherwise. All directional indications (such as up, down, left, right, front, and rear … …) in the embodiments of the present application are only used to explain the relative positional relationship between the components, the movement, and the like in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indication is changed accordingly. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
Fig. 1 shows a schematic structural diagram of a distributed system according to an embodiment of the present invention. As shown in fig. 1, the distributed system 10 includes: a plurality of servers 11 and a database 12, wherein the plurality of servers 11 are respectively connected in communication with the database 12. Firstly, when receiving an access request for accessing the database 12, the server 11 acquires an access IP address from the access request, and records an access record of the access IP address to a newly added access data set, wherein the newly added access data set is synchronized to the database 12 at a first preset frequency; then, the server 11 judges whether an access IP address exists in the IP data set, the IP data set includes the IP address, the access times corresponding to the IP address, and the expiration time, and the IP data set stored in each server 11 is synchronously obtained from the database 12 at a second preset frequency; finally, the server 11 blocks the access request when the access IP address exists in the IP data set and when the number of accesses to the access IP address and the expiration time do not satisfy the preset conditions. The database 12 stores IP data sets that are updated at a first predetermined frequency from the newly added access data sets in the servers 11, and are synchronized to each server at a second predetermined frequency. The distributed system 10 realizes the IP current limiting function without depending on a third party tool, so that the architecture of the whole system is simplified, and the workload during later maintenance is reduced.
Fig. 2 is a flowchart illustrating an IP current limiting method according to an embodiment of the present invention. It should be noted that the method of the present invention is not limited to the flow sequence shown in fig. 1 if the results are substantially the same. The IP current limiting method is applied to each server of a distributed system including a plurality of servers and a database, as shown in fig. 1, and includes the steps of:
step S101: and when an access request for accessing the database is received, acquiring an access IP address from the access request, and recording an access record of the access IP address to a newly added access data set, wherein the newly added access data set is synchronized to the database at a first preset frequency.
In step S101, when a user initiates an access request to a distributed system, a service gateway distributes the access request to a server, and the server receives the access request, parses the access request, and obtains an access IP address of a request source from a specific field in a header of the access request. It should be noted that each server is provided with a new access data set, where the new access data set is used to record an access request processed by the server within a preset time period, where the preset time period is a time interval when the new access data set is synchronized to the database, and by setting the new access data set, the access records in the server can be synchronized to the database at a first preset frequency, where the first preset frequency is preset.
Further, in step S101, the step of recording an access record of the access IP address to the new access data set specifically includes:
1. and judging whether the newly added access data set has an access IP address.
2. If not, the access IP address is stored in the newly added access data set, and the newly added access frequency of the access IP address is set to be 1.
3. And if so, controlling the number of newly added accesses for accessing the IP address to be increased by 1.
Specifically, after the access IP address of the access request is obtained, if the access IP address already exists in the newly added access data set, the access frequency of the access IP address is directly controlled to be increased by 1 time in the newly added access data set, and when the access IP address does not exist in the newly added access data set, it indicates that the server receives the access request of the access IP address for the first time within the time interval of the synchronization process, stores the access IP address in the newly added access data set, and sets the access frequency to be 1.
Further, after recording the access record of the access IP address into the new access data set, synchronizing the new access data set to the database at a first preset frequency, where the step of synchronizing the new access data set to the database specifically includes:
1. obtaining a second current time, and obtaining a latest IP data set from the database.
Specifically, the newly added access data set is synchronized to the database at a first preset frequency, that is, every certain time interval, a second current time is obtained, and the latest IP data set is obtained from the database.
2. And judging whether each IP address in the newly added access data set exists in the latest IP data set.
Specifically, each IP address in the newly added access data set is compared with each IP address in the latest IP data set one by one, so as to determine whether the IP address in the newly added access data set already exists in the latest IP data set
3. And if so, updating the access times and the expiration time of the corresponding IP address in the latest IP data set according to the newly increased access times and the second current time of the IP address in the newly increased access data set.
Specifically, when a certain IP address in the newly added access data set already exists in the latest IP data set, the access times and expiration times of the corresponding IP address in the latest IP data set are updated according to the newly added access times and the second current time of the IP address recorded in the newly added access data set. The method comprises the following steps of updating the access times and the expiration time of the corresponding IP address in the latest IP data set according to the newly added access times and the second current time of the IP address in the newly added access data set, and specifically comprises the following steps:
and 3.1, acquiring the expiration time corresponding to the IP address in the latest IP data set.
Specifically, after the IP address corresponding to the newly added access data set is confirmed in the latest IP data set, the expiration time of the IP address is acquired from the latest IP data set.
And 3.2, judging whether the second current time is in the expiration time range of the IP address.
And 3.3, if so, accumulating the newly added access times of the IP addresses recorded in the newly added access data set to the access times of the corresponding IP addresses in the latest IP data set.
Specifically, when the second current time is within the expiration time range of the IP address, the newly added access times of the IP address recorded in the newly added access data set and the access times of the corresponding IP address in the latest IP data set are accumulated to obtain new access times, and the new access times replace the access times of the latest IP data set, so that the latest IP data set is updated.
Further, after the newly added access times of the IP addresses recorded in the newly added access data set are added to the access times of the corresponding IP addresses in the latest IP data set, the method further includes: and when the access times accumulated by the corresponding IP addresses in the latest IP data set exceed the preset times, setting a forbidden access time limit for the IP addresses.
Specifically, the access times of the corresponding IP addresses in the latest IP data set before and after updating and the preset times are successively judged, if the access times of the corresponding IP addresses in the latest IP data set before updating is less than the preset times and after updating is more than or equal to the preset times, the accumulated access times of the IP addresses in the expiration time exceed the preset times, so that the expiration time corresponding to the IP addresses is cancelled, an access prohibition period is set for the IP addresses, and the access times of the IP addresses are not required to be judged in the time range of the access prohibition period, so that the access requests of the IP addresses are directly prevented.
Further, when the access prohibition period of the IP address has expired, the IP address is prohibited, and when an access request for the IP address is received again, the expiration time is reset for the IP address and the accumulated access times are reset.
And 3.4, if not, replacing the access times of the corresponding IP address in the latest IP data set by the newly added access times of the IP address recorded in the newly added access data set, and resetting the expiration time of the IP address in the latest IP data set according to the second current time.
Specifically, when the second current time is not within the expiration time range of the IP address, it indicates that the expiration time of the IP address has expired, and therefore, the expiration time needs to be reset for the IP address, the access times counted in the previous expiration time are cleared, the newly added access times of the IP address recorded in the newly added access data set are used to replace the access times of the corresponding IP address in the latest IP data set, and the access times of the IP address are continuously accumulated within the local expiration time range.
4. If not, the IP address in the newly-added access data set and the newly-added access times corresponding to the IP address are added to the latest IP data set, and expiration time is set for the IP address in the latest IP data set according to the second current time.
Specifically, when the IP address in the newly added access data set does not exist in the latest IP data set, the IP address and the newly added access times corresponding to the IP address are directly added to the latest IP data set for storage, and an expiration time is set for the IP address according to the second current time.
It should be noted that, after the IP address is updated to the latest IP data set, it still needs to be determined whether the access frequency of the IP address exceeds the preset frequency.
5. And synchronizing the updated latest IP data set to the database for storage.
Specifically, after the final IP data set is updated, the updated latest IP data set is synchronized to the database and stored.
Step S102: and judging whether an access IP address exists in the IP data set, wherein the IP data set comprises the IP address, the access times corresponding to the IP address and the expiration time, and the IP data set stored in each server is synchronously obtained from the database at a second preset frequency. If yes, go to step S103.
In step S102, the IP data set is stored in the local storage of each server, and the IP data set is synchronized from the database at a second preset frequency, which is preset in advance. The IP data set includes an IP address, access times and expiration time corresponding to the IP address, and is expressed as follows: { IP: 192.168.1.125, num: 15, time: 2021/06/11/12:00, wherein IP refers to IP address, num refers to access times corresponding to IP address, time refers to expiration time corresponding to IP address, the expiration time is the expiration time set according to the preset time interval when the IP address is synchronized to the database after first access, the access times will be continuously accumulated after the first access within the expiration time of the IP address, and after the current time exceeds the expiration time, if the access request of the IP address is received again, the expiration time of the IP address will be reset and the access times will be reset. In this embodiment, after obtaining the access IP address, the access IP address is sequentially matched with each IP address in the IP data set, so as to determine whether the access IP address exists in the IP data set; if yes, executing step S103; if not, the access request is allowed directly.
Preferably, in this embodiment, the distributed system includes a plurality of servers and a database, and therefore, in order to ensure that the newly added access data sets in the servers can be synchronized with each other in time, the second preset frequency is higher than the first preset frequency. Specifically, each server is provided with a timer, the newly added access data set is synchronized to the database at a first preset frequency through the timer, or an IP data set is synchronously obtained from the database at a second preset frequency, therefore, the data synchronization process between the servers is asynchronously executed and is not interfered with each other, and the newly added access data set can be timely synchronized to each server by setting the second preset frequency to be higher than the first preset frequency in view of a plurality of servers.
In other embodiments, the IP data set may be synchronized once to all servers each time the IP data set in the database is updated, thereby ensuring that the data can be synchronized in time.
Step S103: and when the access times and the expiration time for accessing the IP address do not meet preset conditions, the access request is blocked.
In step S103, when the access IP address exists in the IP data set, the access frequency and the expiration time of the access IP address are obtained from the IP data set, and then it is determined whether the access frequency and the expiration time do not satisfy the preset condition, if not, it indicates that the access IP address may have a malicious access, so that the access request is blocked and the IP current limiting function is implemented.
Further, the step S103 specifically includes:
1. and acquiring the first current time, and acquiring the access times and the expiration time for accessing the IP address from the IP data set.
Specifically, the first current time refers to a time when the access request is received.
2. And judging whether the access times exceed the preset times and whether the first current time is in an expiration time range.
Wherein the preset times are preset. Specifically, for example, assuming that the first current time is 2021/06/11/12:00, if the expiration time of the access IP address is 2021/06/11/12:10, the first current time is within the expiration time range, and if the expiration time of the access IP address is 2021/06/11/11:50, the first current time is already outside the expiration time range.
3. And if the access times exceed the preset times and the first current time is within the expiration time range, the access request is blocked.
Specifically, if and only if the number of access times of the access IP address exceeds the preset number of times and the first current time is within the expiration time range, it indicates that the number of times of initiating the access request by the access IP address within a certain time period is too large, and therefore, the access IP address may have a malicious access condition, and the access request of the access IP address this time is prevented.
The IP current limiting method of the embodiment of the invention is deployed on each server in a distributed system, when the server receives an access request for accessing a database, an access IP address is obtained and an access record of the access IP address is recorded to a newly-added access data set, then the access IP address is matched with the IP address in a local IP data set, if the access IP address exists in the IP data set, whether the access IP address is allowed to access the database is determined according to the accumulated access times and the expiration time of the access IP address, wherein the newly-added access data set is periodically synchronized to the database, and the local IP data set is synchronously obtained from the database at intervals of a certain time, so that the access record recorded in the server can be synchronized to the database in the distributed system, and the server can also synchronously obtain the access records of other servers from the database, and then the current limiting information of each server in the distributed system can be synchronized, and meanwhile, a current limiting function is realized without depending on a third-party tool, so that the whole distributed system is simplified in architecture, and the workload during later maintenance is reduced.
Fig. 3 is a schematic diagram of functional modules of an IP current limiting apparatus according to an embodiment of the present invention. As shown in fig. 3, the IP current limiting apparatus 30 includes a receiving module 31, a determining module 32, and a preventing module 33.
The receiving module 31 is configured to, when receiving an access request for accessing the database, obtain an access IP address from the access request, and record an access record of the access IP address to a new access data set, where the new access data set is synchronized with the database at a first preset frequency.
And the judging module 32 is configured to judge whether an access IP address exists in the IP data set, where the IP data set includes the IP address, the access times corresponding to the IP address, and expiration time, and the IP data set stored in each server is synchronously obtained from the database at a second preset frequency.
And a blocking module 33, configured to block the access request when the access IP address exists in the IP data set and when the number of accesses to the access IP address and the expiration time do not satisfy preset conditions.
Optionally, when the number of accesses to the IP address and the expiration time do not satisfy the preset conditions, the blocking module 33 may further perform the following operation: acquiring first current time, and acquiring access times and expiration time for accessing the IP address from the IP data set; judging whether the access times exceed the preset times and whether the first current time is in an expiration time range; and if the access times exceed the preset times and the first current time is within the expiration time range, the access request is blocked.
Optionally, the operation of the receiving module 31 recording the access record of the access IP address to the newly added access data set may further be: judging whether an access IP address exists in the newly added access data set or not; if the new access data set does not exist, the access IP address is stored in the new access data set, and the new access frequency of the access IP address is set to be 1; and if so, controlling the number of newly added accesses for accessing the IP address to be increased by 1.
Optionally, the operation of the receiving module 31 to synchronize the newly added access data set to the database specifically includes: acquiring a second current time and acquiring a latest IP data set from a database; judging whether each IP address in the newly added access data set exists in the latest IP data set; if so, updating the access times and the expiration time of the corresponding IP address in the latest IP data set according to the newly increased access times and the second current time of the IP address in the newly increased access data set; if not, adding the IP address in the newly-added access data set and the newly-added access times corresponding to the IP address into the latest IP data set, and setting expiration time for the IP address in the latest IP data set according to second current time; and synchronizing the updated latest IP data set to the database for storage.
Optionally, the operation performed by the receiving module 31 to update the access times and the expiration time of the corresponding IP address in the latest IP data set according to the newly added access times and the second current time of the IP address in the newly added access data set may be further: acquiring the expiration time corresponding to the IP address in the latest IP data set; judging whether the second current time is within the expiration time range of the IP address; if so, accumulating the newly added access times of the IP addresses recorded in the newly added access data set to the access times of the corresponding IP addresses in the latest IP data set; if not, replacing the access times of the corresponding IP address in the latest IP data set by the newly increased access times of the IP address recorded in the newly increased access data set, and resetting the expiration time of the IP address in the latest IP data set according to the second current time.
Optionally, after the receiving module 31 performs the operation of adding the newly added access times of the IP addresses recorded in the newly added access data set to the access times of the corresponding IP addresses in the latest IP data set, the receiving module is further configured to perform: and when the access times accumulated by the corresponding IP addresses in the latest IP data set exceed the preset times, setting a forbidden access time limit for the IP addresses.
For other details of the technical solutions implemented by the modules in the IP current limiting apparatus in the foregoing embodiments, reference may be made to the description of the IP current limiting method in the foregoing embodiments, and details are not described here again.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the present invention. As shown in fig. 4, the computer device 40 includes a processor 41 and a memory 42 coupled to the processor 41, wherein the memory 42 stores program instructions, and the program instructions, when executed by the processor 41, cause the processor 41 to execute the steps of the IP throttling method according to the above embodiment.
The processor 41 may also be referred to as a CPU (Central Processing Unit). The processor 41 may be an integrated circuit chip having signal processing capabilities. The processor 41 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a storage medium according to an embodiment of the invention. The storage medium of the embodiment of the present invention stores a program instruction 51 capable of implementing the IP throttling method described in the above embodiment, where the program instruction 51 may be stored in the storage medium in the form of a software product, and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute all or part of the steps of the method described in each embodiment of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, or various media capable of storing program codes, or a computer device such as a computer, a server, a mobile phone, or a tablet.
In the several embodiments provided in the present application, it should be understood that the disclosed computer apparatus, device and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The above embodiments are merely examples and are not intended to limit the scope of the present disclosure, and all modifications, equivalents, and flow charts using the contents of the specification and drawings of the present disclosure or those directly or indirectly applied to other related technical fields are intended to be included in the scope of the present disclosure.

Claims (10)

1. An IP current limiting method is applied to each server of a distributed system, wherein the distributed system comprises a plurality of servers and a database; the method comprises the following steps:
when an access request for accessing the database is received, an access IP address is obtained from the access request, and an access record of the access IP address is recorded to a newly added access data set, wherein the newly added access data set is synchronized to the database at a first preset frequency;
judging whether the access IP address exists in an IP data set or not, wherein the IP data set comprises the IP address, the access times and the expiration time corresponding to the IP address, and the IP data set stored in each server is synchronously obtained from the database at a second preset frequency;
and if so, stopping the access request when the access times and the expiration time of the access IP address do not meet preset conditions.
2. The IP throttling method according to claim 1, wherein the blocking the access request when the number of accesses and the expiration time of the access IP address do not satisfy preset conditions comprises:
acquiring first current time, and acquiring access times and expiration time of the access IP address from the IP data set;
judging whether the access times exceed preset times and whether the first current time is within the expiration time range;
and if the access times exceed the preset times and the first current time is within the expiration time range, the access request is blocked.
3. The IP throttling method of claim 1, wherein the recording the access record of the access IP address to a new access data set comprises:
judging whether the access IP address exists in the newly added access data set or not;
if the access IP address does not exist, storing the access IP address to the newly added access data set, and setting the newly added access frequency of the access IP address to be 1;
and if so, controlling the newly added access times of the access IP address to add 1.
4. The IP throttling method of claim 3, wherein the step of synchronizing the newly added access dataset to the database comprises:
acquiring a second current time and acquiring a latest IP data set from the database;
judging whether each IP address in the newly added access data set exists in the latest IP data set;
if so, updating the access times and the expiration time of the corresponding IP address in the latest IP data set according to the newly increased access times of the IP address in the newly increased access data set and the second current time;
if not, adding the IP address in the newly added access data set and the newly added access times corresponding to the IP address into the latest IP data set, and setting expiration time for the IP address in the latest IP data set according to the second current time;
and synchronizing the updated latest IP data set to the database for storage.
5. The IP throttling method of claim 4, wherein the updating the access times and expiration times of the corresponding IP addresses in the latest IP dataset according to the newly added access times of the IP addresses in the newly added access dataset and the second current time comprises:
acquiring the expiration time corresponding to the IP address in the latest IP data set;
judging whether the second current time is within the expiration time range of the IP address;
if so, accumulating the newly increased access times of the IP address recorded in the newly increased access data set to the access times of the corresponding IP address in the latest IP data set;
if not, replacing the access times of the corresponding IP address in the latest IP data set by the newly added access times of the IP address recorded in the newly added access data set, and resetting the expiration time of the IP address in the latest IP data set according to the second current time.
6. The IP throttling method according to claim 5, wherein after the adding the new access times of the IP addresses recorded in the new access data set to the access times of the corresponding IP addresses in the latest IP data set, the method further comprises:
and when the access times accumulated by the corresponding IP addresses in the latest IP data set exceed the preset times, setting an access prohibition period for the IP addresses.
7. An IP current limiting apparatus, comprising:
the receiving module is used for acquiring an access IP address from the access request when the access request for accessing the database is received, and recording an access record of the access IP address to a newly added access data set, wherein the newly added access data set is synchronized to the database at a first preset frequency;
the judging module is used for judging whether the access IP address exists in an IP data set or not, the IP data set comprises the IP address, the access times and the expiration time corresponding to the IP address, and the IP data set stored in each server is synchronously obtained from the database at a second preset frequency;
and the blocking module is used for blocking the access request when the access IP address exists in the IP data set and the access times and the expiration time of the access IP address do not meet preset conditions.
8. A distributed system comprising a plurality of servers and a database, wherein,
the server is used for acquiring an access IP address from the access request when receiving the access request for accessing the database, and recording an access record of the access IP address to a newly added access data set, wherein the newly added access data set is synchronized to the database at a first preset frequency; judging whether the access IP address exists in an IP data set or not, wherein the IP data set comprises the IP address, the access times and the expiration time corresponding to the IP address, and the IP data set stored in each server is synchronously obtained from the database at a second preset frequency; if the IP address access request exists, stopping the access request when the access times and the expiration time of the access IP address do not meet preset conditions;
the database is used for storing the IP data set.
9. A computer device, characterized in that the computer device comprises a processor, a memory coupled to the processor, in which memory program instructions are stored which, when executed by the processor, cause the processor to carry out the steps of the IP current limiting method according to any of claims 1-6.
10. A storage medium storing program instructions capable of implementing the IP throttling method according to any one of claims 1 to 6.
CN202110703070.3A 2021-06-24 2021-06-24 IP current limiting method, device, system, computer equipment and storage medium Withdrawn CN113438310A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110703070.3A CN113438310A (en) 2021-06-24 2021-06-24 IP current limiting method, device, system, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110703070.3A CN113438310A (en) 2021-06-24 2021-06-24 IP current limiting method, device, system, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113438310A true CN113438310A (en) 2021-09-24

Family

ID=77753838

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110703070.3A Withdrawn CN113438310A (en) 2021-06-24 2021-06-24 IP current limiting method, device, system, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113438310A (en)

Similar Documents

Publication Publication Date Title
CN107819829B (en) Method and system for accessing block chain, block chain node point equipment and user terminal
US11201810B2 (en) Data transmission method and apparatus
US10489476B2 (en) Methods and devices for preloading webpages
KR101871383B1 (en) Method and system for using a recursive event listener on a node in hierarchical data structure
CN109842694B (en) Method for synchronizing MAC addresses, network equipment and computer readable storage medium
CN109558065B (en) Data deleting method and distributed storage system
CN107092628B (en) Time series data processing method and device
CN104156361A (en) Method and system for achieving data synchronization
CN109788027A (en) Method of data synchronization, device, server and computer storage medium
CN114979158B (en) Resource monitoring method, system, equipment and computer readable storage medium
CN111381988A (en) Request speed limiting method and device, electronic equipment and storage medium
CN115955332A (en) Abnormal traffic filtering method and device for authentication system and electronic equipment
CN111797352B (en) Account blocking method, account blocking device and account blocking system
US11736299B2 (en) Data access control for edge devices using a cryptographic hash
CN113438310A (en) IP current limiting method, device, system, computer equipment and storage medium
US9667591B2 (en) System and method for maintaining coherence of assocation across a network address change or reassignment
CN110599321A (en) Tax data processing method, device, server and storage medium
CN112749172A (en) Data synchronization method and system between cache and database
CN105744617A (en) Synchronization method and device
CN111400327B (en) Data synchronization method and device, electronic equipment and storage medium
CN110392104B (en) Data synchronization method, system, server and storage medium
CN111371675B (en) Intelligent addressing method, device, equipment and storage medium thereof
US11259169B2 (en) Highly scalable home subscriber server
CN106375354B (en) Data processing method and device
JP2017034610A (en) Call processing device, session recovery method and call processing server program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210924

WW01 Invention patent application withdrawn after publication