我从Ajax调用了一些servlet来检查用户可用性和做一些其他工作,而且只有当用户登录时才能发送Ajax请求。
但问题是,用户使用javascript会在一秒钟内通过Ajax调用大量次数访问服务器,并导致服务器瘫痪。
有一种控制它的可能性:如果同一IP在第二次(或某段时间)内的命中次数超过了最大限制,那么可以使会话无效。
但我的一些同事不赞成限制用户。那么有没有其他方法可以让我的服务器免受Ajax炸弹的攻击?
You have a few options:
These can be either server-sided or client-sided, server-sided being the obvious choice for security.
But the problem is, user can hit server through ajax call mass number of times in a second using javascript injections. It can make server down.
Javascript injection is the least of your problems if you're concerned with your server staying alive. Raw HTTP DDoS attacks are a much bigger problem than a few ajax requests. The main thing Javascript injection should stick right in your mind is to do with security, not server uptime.
i had the same problem with some web app i have developed, the solution i came up with was to check the referer on the server-side, and only allow calls from the server (127.0.0.1).