preface
GMV on Tmall topped the list again with 540.3 billion yuan as of midnight on November 12, the end of the annual “Double 11”.
In fact, a shopping scene like this is essentially called seckilling. What are the characteristics of the second kill? They are scarce, discounted and scarce, so this value is bound to attract a special breed of smart people to snap it up:
For example, with the help of this physical plugin:
I’m sure it’s faster than anyone who’s been single for 20 years. (Don’t ask me how I know, a friend of mine told me, he said Chinese don’t cheat Chinese)
For example, I help trigger the purchase button in the App on time through a third-party plug-in.
And grab and analyze the snapping interface, through the program to simulate the snapping process.
It’s not just singles’ Day. For example, you stole train tickets during the Spring Festival, jay Chou’s concert tickets, and maotai last year. I’m sure there are some people who just do this.
So what are the effects of this behavior?
First of all, it will destroy the level of the buying environment and make normal buyers feel uncomfortable: clearly I ordered by hand, you do not talk about martial arts for me, right?
Second, if they try frequently, the whole backend system will suffer varying degrees of performance loss, which is a kind of hacking.
Here’s how programmers can “fight back”, in two parts:
- How to prevent them from using illegal ways faster than others, at this time we generally use risk control to do.
- How to prevent them from constantly requesting, we will have a lot of anti-brush measures.
Risk control
As I said, some people are clever after the event, but the traffic that comes in can’t be defined as illegal traffic, it can only be identified by multi-dimensional checks like risk control, unless it jumps steps.
What is risk control? In fact, for a user, in different business scenarios, check whether certain data in the user’s portrait touches the red line.
The basic elements of a user profile include mobile phone number, device number, identity, IP, address, etc. Some extended information also includes credit records, shopping records, credit records, job information, social security information and so on.
The collection of such data cannot be achieved only by relying on a single platform, which is why the establishment of risk control needs multi-platform, wide business and deep coverage, because only in this way can we get as much user data as possible.
Big companies like Alibaba and Tencent cover a lot of business lines and business scenarios. Just because of the support of these large amounts of data, their risk control can be better.
But for small companies, setting up a risk control system is difficult and impractical. But then again, small companies may not care too much about who orders quickly, so let’s ensure traffic first.
The brush
Current limiting
We can take advantage of some simple traffic limiting measures, such as Nginx traffic limiting: only one request per second is allowed. This method can effectively solve the high-frequency requests of black traffic to a single interface.
There are many contents about stream limiting, and I will give a detailed explanation in a separate article later.
Token mechanism
Token I think you know that it is generally used for authentication. In a business scenario, for sequential interface calls, we would require that the token be obtained on the previous interface before going to the next interface, or it would be considered an illegal request. At the same time, this method can also prevent multi-end operations from tampering with data. If we do Token generation and verification in the Nginx layer, we can achieve no intrusion into the master data of business processes.
The blacklist
Blacklists are classified into local blacklists and cluster blacklists. As the name implies, blacklists are used to block illegal requests.
So where does the blacklist come from? In general, there are two sources:
One is imported from the outside, which can be risk control or other channels.
The other is to generate their own use. Nginx can filter out traffic that exceeds the threshold, but it can’t completely block it.
Then we implement a set of “arrest mechanism”. We can use cache, such as Redis, to count the request frequency of this user or IP within one second. If it reaches the threshold set by us, we will identify it as black production and put it into the local cache blacklist.
The blacklist can be shared by all interfaces. In this way, once a user is identified as a black user, his requests for all interfaces will be directly intercepted to achieve zero pass of brush traffic.
conclusion
This article mainly introduced the seconds kill system black production problems: through external tools, third party software to participate in the activities of buying, because it is faster, the requesting more often, and make the black production users received is greater than the average user to snap up the success rate of this kind of behavior not only severely damaged the fair for the environment, but also brought down the system huge extra burden.
To counter the problem of “one step ahead”, we briefly introduce the risk control system. In the problem of fighting against brush traffic, we introduce Nginx traffic limiting, Token mechanism, blacklist mechanism.
In fact, a complete second kill system is very complex, to consider a lot of problems, today’s introduction is just the tip of the iceberg. In the future, I will continue to output dry goods and introduce more about the core problems and specific solutions of seckill.
The last
If you feel that this article is helpful to you, welcome to like comments, but also welcome everyone to pay attention to my public number: Mu Chen chat programming.
I’m Muchen, and I’ll see you next time.