-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To whom it may concern,
On 5/18/15 11:44 AM, javalishixml wrote: > I have a website. It is built by apache + tomcat. > > Now we make a lottery activity at this website. But we find that > some robots always raise the duplicated requests to hit this > lottery activity. It causes that robots almost get all the awards. > > So we just want to block these kind of duplicated requests at every > interval unit. For example, we set the interval unit is 3 seconds. > The if the robot want to hit the lottery activity in 3 seconds, the > website could block this action. > > So how to do it? I suppose if we do it at tomcat level, is it a > very low performance? Can I do it at apache level? how to do it? If > I could not do it apache level, can I do it by setting sth at > tomcat? If you have a way to identify a "duplicate" request (e.g. using a fingerprint of the request that you can check during that 3-second interval), then this is conceptually very easy. It may not be great for performance, but you'll have to weigh that against your own requirements. (For example, which is worse: poor performance, or a site where only robots ever win the lottery?) This will not be something you can configure in Apache httpd or Tomcat. This will have to be an application thing (unless you can describe the fingerprint technique to some httpd module such as mod_security or mod_qos and then allow it to discard duplicates). Back to the solution: 1. Take a fingerprint of the request 2. Lookup the fingerprint in a database of previous requests ( fingerprint -> latest timestamp ) 3. If the fingerprint appears in your database and the timestamp is less than 3 seconds ago, discard the request 4. Otherwise, store the current timestamp and fingerprint in the databas e For a database, I might recommend something like memcached or another in-memory-style database. An in-memory key-value store is really what you are looking for. Memcached has a nice feature where values can automatically time-out (e.g. they are invalid after 3 seconds), so you can make your application code a bit simpler because you'll never have a value in the database that is not valid. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVWkTcAAoJEBzwKT+lPKRYnW0QAIeRbfJtsTKtUZHUig9sIRre y1mgJkPxBXjcRTfoZkZkTPhasYzINE1mb1mTPKfPbQveH+OmpawDREWJxg/6dFeg af734ZRpBOAs4MtlCyTXgBUWpWka5CcpeIRYeEwx5GKPFLJfTBbGpswV3HwLaoEC /NqMByVfwHnixBxSTGAM2GIOyrPf+Ii1Z0JpQyDEYcZUS3Dc3IFFeHPTvzQUb1SO NB84fwjDT6GG/YerrlRV3GHL3WYhAw1n+tQ9cCpSWDvz8/KLUyKXqVjX5s/FbuB+ S+krz2jzKqxG8bdeixW4s0i/9gyA/KcSSDgwmBnRwHsIUDvfF3pzk1Vq7rfGNpmQ L9V4brxL41H+ZMIDt2NjkVJb/UjgMnL5RpfQ1t+MdNvys/7UYav+vOv8jWqI3Mse AXNv46mQZAiMFzs/nsR7OIVLLxU70l+wbys4mK6u34uDip5gzxvVSaYKviqgKspx LT6MUHOpgmBhsiCUxjJ5odA4Q6mYhMfQxOB+6Ej8jRfKMT2uDTlwvU8gZ+/7TcUX JXngjQLQyjj+gAO+7jS7sWpaakV1ojy8/nFBVWH/3tWoo0YD89DJCRWxA8x8slfx oI9BGA0T7EwuX1CnqM90OLw7dymMQvwsTlkPAZnIvnWw3Xz29hIRazxQ7NR3AdCk vNXsseUzO18IJ4n+By1G =Q/ki -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org