背景与价值HTTP/2 Rapid Reset利用大量RST帧导致服务端资源消耗。通过并发流与重置速率治理,可在网关层阻断滥用。统一规范并发流上限:每连接与每IP设置上限(如≤100)。重置速率:单位时间RST计数超阈值即阻断(如每秒≤10)。窗口计数:滑动窗口统计,短期封禁恶意来源。核心实现窗口计数与并发治理class WindowCounter { buckets = new Map<string, { ts: number; count: number }>() now(): number { return Date.now() } inc(key: string, windowMs = 1000): number { const cur = this.buckets.get(key) const n = this.now() if (!cur || n - cur.ts > windowMs) { this.buckets.set(key, { ts: n, count: 1 }); return 1 } cur.count++ return cur.count } } class StreamGate { byConn = new Map<string, number>() byIp = new Map<string, number>() maxPerConn = 100 maxPerIp = 1000 open(connId: string, ip: string): boolean { const c = (this.byConn.get(connId) || 0) + 1 const i = (this.byIp.get(ip) || 0) + 1 if (c > this.maxPerConn || i > this.maxPerIp) return false this.byConn.set(connId, c); this.byIp.set(ip, i) return true } close(connId: string, ip: string) { const c = (this.byConn.get(connId) || 1) - 1; const i = (this.byIp.get(ip) || 1) - 1; this.byConn.set(connId, Math.max(0, c)); this.byIp.set(ip, Math.max(0, i)) } } class ResetGate { wc = new WindowCounter() maxRstPerSec = 10 allow(ip: string): boolean { return this.wc.inc('rst:' + ip, 1000) <= this.maxRstPerSec } } 阻断策略type Event = { type: 'open' | 'rst' | 'close'; connId: string; ip: string } class H2Guard { sg = new StreamGate() rg = new ResetGate() ban = new Set<string>() onEvent(ev: Event): boolean { if (this.ban.has(ev.ip)) return false if (ev.type === 'open') return this.sg.open(ev.connId, ev.ip) if (ev.type === 'rst') { const ok = this.rg.allow(ev.ip) if (!ok) this.ban.add(ev.ip) return ok } if (ev.type === 'close') { this.sg.close(ev.connId, ev.ip); return true } return true } } 落地建议在入口代理统计并发流与RST速率,超过阈值立即阻断并短期封禁来源。动态调整上限与窗口大小以平衡可用性与安全性,记录审计。验证清单并发流是否在上限内;RST速率是否在窗口阈值内;封禁是否生效。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复