I am a kite, the public number “ancient kite”, a both depth and breadth of programmers encourage division, a plan to write poetry but write up the code of rural code farmers! Articles will be included in JavaNewBee, and more articles will be included in the collection.
The noon of the previous two days was as hot as usual, the sun was burning tirelessly in the sky, the heat ran away clouds and birds, and was about to ignite the air and my brain nerves. What cools me and my computer is a small fan on my humble desk, without which the keyboard would be too hot for me to write code.
At this moment, the mobile phone next to me buzzed twice. For those who never dare to turn on the ring, this vibrating sound is really too familiar. Needless to say, it should be an advertisement message, or someone added me as a friend on wechat. Because I basically never read text messages, wechat messages will not be prompted, only add friends, because a lot of friends see my article recently, so add my friends or a lot of, I am looking for free time to deal with. So, I continued to write my code and ignored it.
After two minutes or so, hum ~~ again shook two, do not panic, continue to write code. Then buzzing ~~ again two, and then another two, I thought, is it another tuba turned my article (in the mind slightly complacent), calm down, continue to write code.
By this time, it had lasted for 6 or 7 times. I was just about to take my phone to have a look, when something happened, I quickly opened the door and went out. After 20 minutes, I came back and found my phone was still shaking. I quickly picked it up and saw that the number of unread messages had increased (this is a screenshot from the time I wrote the article, the real number is a little more than this, so I clicked on it).
Why did I send so many messages? I remember exactly, it was only 820 (sorry to my ocD friends, this may make you look uncomfortable), but forgive me for not reading so many messages, I kept piling up 800. Why half an hour more than dozens of time, I opened a look, are some unknown company login verification code message, like the following.
[XX technology] You are SMS login, verification code 689287, please submit verification code within 15 minutes, do not disclose verification code to others.
One word came to mind: text bomber. Someone bombed me, did I offend someone, and my mind raced.
Is it the brother who asked me a question the other day and I didn’t answer it in time, and then scolded me, and I deleted it?
Was it the recent, unforgiving, complete stranger who came up and asked me to help him grab the data and I told him to get lost?
Or some bigwigs who repeatedly reported my articles as unoriginal?
Is it worth it? Not so much? Not so much. In the time it took me to think about it, the phone quieted down and stopped ringing, but it turns out I was probably overthinking it, maybe one of the text bombers was targeting the wrong target and caught it in time, or something.
A familiar scene
This scene brings back some memories for me, and at the same time, I deeply sympathize with XX Technology. A few years ago, my startup was taken advantage of by SMS bombers, and 20,000 yuan on the SMS platform went up in smoke in one night.
SMS bomber
SMS bomber is a batch, circular method to send mobile phone unlimited registration verification code SMS of various websites. It can receive more than 100 messages per minute, which can be used to test the speed of mobile phone SMS reception. It can be running on your computer or your phone.
For example, if someone wants to screw you over, they can spend a lot of money to buy the service of SMS bombing or phone bombing (the scientific name is “call you dead”), and your phone will instantly become a high-frequency vibrator or ringtone player, which can make your phone hot or turn it off without power at worst.
Now there are many SMS platforms, such as Tencent, Ali, Huawei what a lot of, and have anti-theft brush and other functions, at that time, DO not know the boss from which channel to find a SMS platform, the specific name has not remembered, after all, it has been several years. At that time, the platform seemed to charge 20,000 yuan and send 5,000 yuan, so the boss directly charged 20,000 yuan. According to the calculation of a few cents per text message, considering the size of the company’s business at that time, it might not be used up until the company went bankrupt.
At that time, after several months of hard work, the product was successfully launched, but there was no promotion. The final online test was being carried out, which was only tested by the company’s internal staff and some friends I knew. I stopped by to help test, and it was about to be widely promoted.
One night it was dark and windy, and my boss called me suddenly. He said that he had received an early warning notice about the cost of the SMS platform, which showed that the balance was not enough. He asked me to log in and see what the situation was. The moment I entered the page, I was stunned. I had already used more than 40,000 and had thousands left. At this point, we didn’t realize it was a security breach. The customer service explained that the account had been sending text messages, which were related to verification codes, and were still sending messages, asking whether the service should be stopped first.
What, still continue to send, that hurriedly stop first say again, so let the customer service operation to stop the service first.
At that time I was also the first to enter the Internet, and I do not know so dangerous, the team is grass-stage team, also did not expect this kind of problem. When I began to think and to calm down the search engine search related issues, I have found the message bombers this concept, using SMS bomber favorite with open platform of security holes text messaging interface, such as registration, login interface, and, indeed, our website without verification code sent by protective measures, cause the loopholes, thereby being taken advantage of, At the end of the day, the ability was not in place.
Up to now I also do not know how we have not promoted the small product was targeted, and then used. It is said that there may be a ghost message platform side, to sell customer information to the third party platform, or is self-produced, SMS quickly run out, you can quickly renew the fee.
It is also said that the SMS bombing platform will hack these normal SMS platforms, and then find the user, and then use.
There are also said that they are the whole network sweep this register, login and other similar URL, sweep on the collection, further processing, and found that they can be used.
But what kind? I don’t know, but if you’re not protected, you’re used.
Accident site and protective treatment
This is actually a security breach, but at a lower level. How low is it? Is you in the registration page after the input mobile phone number, click “send verification code” button, will only judge whether the mobile phone number is legal and whether has been registered, otherwise directly send verification code, this call ignorance fearless. This is just like opening the door to the guest state, no permissions, no call frequency limit, and no token to do the verification.
When the short message service stopped, I immediately went to see the background log, found that there are many different IP in the continuous requests, frantic is, although the short message service has stopped, but the requests are still pouring in. It seems that this is a complete set of automated processes, using IP pool dynamic proxy, simulated sending requests, our SMS interface is just a trivial free resource.
Stop the service
It was late, almost midnight, but the brain was stimulated and wide awake. The first thing I wanted to do was just let the service work. But the requests keep coming, so I first shut down the Nginx service, since you are so smart, you can not access the interface, will stop? After a 5-minute pause, as soon as I rebooted the log, it filled up again. It turned out to be not that it was not intelligent, but that I was stupid. It doesn’t care about you. It’s an emotionless request machine.
Changing the Interface Address
Ok, I admit it can, service I can not stop, you this machine without feelings I also can not control, that I changed the interface address first. So I put the registration, login interface address to change first, so that the total message service can be stripped first, first reduce the pressure on the server. But still afraid to turn on the SMS service, in case it finds our new interface.
It was already very late at this time, fortunately the product had not been promoted, no one used it, so I slept first and waited for the next day to deal with it.
Add graphic captcha
The next day early to go to the company, the first thing, is to see that no feelings of the machine is not let go of us, the results of a look at the log, the heart suddenly a little cold, I rest for a night, it did not rest.
Have colleague say, want to change IP?
Dear brother, the domain name is requested, but it can be changed to the secondary domain name. Before, api.xxxx.com was used as the back-end service domain, so some colleagues started to change the secondary domain name.
When I started to add other rules, the first thing that came to my mind was to add verification, adding a graphic verification before sending the verification code, and then I found the behavior verification provided by polar verification. This is often seen as the following approach, before sending a verification code to the user to complete the behavior verification, basically block the robot, and the integration is very simple.
But, sought advice charge, was persuaded to retreat at that time, it was annual fee 50 thousand at that time, do not know how many money now.
Graphic verification code is also good, the key is not to spend money ah, so find open source code, do graphic verification code. At that time, in order to be more secure, so that the machine is more difficult to identify, the combination of six letters and numbers, and the interference factor is very sufficient. The fact proves that it can not only put anti-machine, but also anti-human, and many colleagues said it was often difficult to identify it when they did the test. So we changed it to 4 bits and reduced the interference factor.
With this lesson, when I see 12306 step by step to upgrade the verification code difficulty, I can feel 12306 helpless and inner hesitation.
Limit access frequency
Adding a graphic captcha is the first step, not yet, in case it gets bypassed, after all, automatic identification captcha just raises the bar, and if someone really wants to fuck you, it won’t stop them.
Limit the frequency of verification code requests for a single mobile phone number to three times within five minutes, and limit the number of requests to nine times within an hour to 24 hours.
In addition to limiting the frequency of cell phone numbers, the same rules apply to limiting the frequency of requests from individual IP addresses.
Setting a Blacklist
However, the peer uses a dynamic IP address pool and may not receive consecutive requests within five minutes. Through log analysis, it is found that hundreds of IP addresses send requests during this period, and all IP addresses that receive more than 10 requests during this period are blacklisted.
If the number of single-IP requests exceeds eight within four hours, add the requests to the blacklist. Of course these rules are derived from looking at logs, and of course the ultimate science is patting the head.
After the request comes over, first check whether the IP is in the blacklist, if yes, directly reject.
The other way
In addition to the above measures, there are other ways of protection.
For example, when the user enters the front page (login or registration page) to generate or request a Token, and then verify the Token during the request, you can write some complicated algorithm logic in it. Of course, this only increases the threshold, and if the process is mastered, it will still be exploited.
The old interface remained, depending on how long it took, like 8 or 9 days before the request disappeared.
The last
Security is also an important aspect of Internet development, but it is often ignored by developers. Thinly think extremely fear, if it is in the product promotion when there is a problem, it is really great harm to the user.
Some startups have been shut down because of security breaches. Large factories are at risk, many strong wool party is to use loopholes to collect wool, such as some time ago a big mall due to coupon loopholes were collected tens of millions.
As long as there is a profit to be made, there is a risk of exploitation, and security issues need to be treated with caution.
Strong man wait, first give a praise bar, always white piao, the body can not bear!
I am kite, the official number “ancient kite”. A programmer with both depth and breadth of encouragement teacher, a intended to write poetry but write up the code of rural code farmers! You can follow me now, or you can follow history articles later.