background
Last year, there was a large demand for team recruitment, and I participated in nearly 100 interviews. Today to talk to you, in the process of interviewing candidates, a common open design topic solution ideas, as well as candidates’ understanding of design misunderstandings analysis.
Without further ado, let’s get right to the point.
The problem is actually very simple, it is a mobile binding verification scenario. The general description is:
In mobile phone authentication scenarios, an SMS message is normally sent to a user’s mobile phone number. After receiving the SMS message, the user fills in the verification code and submits the SMS message.
First question
There is no problem with normal SMS sending logic, but because SMS resources are precious, to prevent malicious attacks, what good control strategy do you have?
In the process of interview communication, the answers collected are nothing more than these kinds, collected and sorted as follows:
1. Send interval
Set the interval at which the same number is sent repeatedly (gray is set on the front end and interval lock is set on the back end). Generally, the interval is 60-120 seconds. This method can prevent the SMS interface from being maliciously attacked to a certain extent, and does no harm to user experience. However, the attack cannot be prevented by changing the mobile phone number, and the protection level is low.
2. Limit of obtaining times
It is the upper limit for the number of times a mobile phone can obtain an SMS verification code in a certain period.
When adopting this strategy, there are a few things to note during the product design process:
1) Definition of upper limit value. It is necessary to set an appropriate upper limit based on the actual situation of the service, and even considering the future development of the service, to avoid complaints caused by users’ failure to receive SMS verification codes.
2) Definition of lock period. The value can be 6 hours, 12 hours, or 24 hours.
3. IP restrictions
Set the maximum number of packets sent from an IP address within a period of time.
This method can well prevent attacks from single IP address, but it also has obvious disadvantages:
1) For attackers who frequently change IP addresses to attack, this method has almost no good effect.
2) IP restrictions often cause friendly fire. For example, in places that use a unified wireless network and many users are connected to the same wireless network, the IP address may quickly reach the upper limit, so that users connected to the wireless network cannot receive the verification code.
4. Graphic verification code
Before sending the SMS verification code, you must pass the graphic verification code.
This is relatively safe from certain types of attacks, so it is a very common SMS defense mechanism. However, the user experience is involved in the process of use, so this strategy cannot be simply and rudely applied.
The following two points deserve careful consideration:
1) Is it necessary for users to input graphic verification code before obtaining SMS verification code each time? Generally speaking, this will greatly affect user experience. Although it is relatively safe, users are not comfortable with it.
2) A safe range can be given.
Considering the mobile phone number restriction and IP restriction, for example, when the same mobile phone number obtains the SMS verification code for the third time, the graphic verification code appears; For example, if the same IP address obtains the verification code for more than 100 times on the same day, the graphic verification code is displayed.
5. Encryption and decryption control
After encrypting the parameters of the transmitted server, the SMS is decrypted on the server. At the same time, the token is used as the unique identification verification, and the token is authenticated on the back end. Only after the verification passes, the SMS can be sent normally. This method can effectively prevent some attacks under the condition of ensuring user experience, so it is also a relatively common SMS anti-attack mechanism at present.
There are also obvious disadvantages:
1) The encryption and decryption algorithms used may be recognized, so it is necessary to consider using encryption and decryption algorithms that are difficult to be recognized.
2) It can effectively prevent packet attack when the algorithm is not recognized, but it cannot prevent browser simulator attack.
Second question
If you need to restrict the interface for sending SMS requests, and the specific policy is to send SMS verification codes to the same user’s mobile phone number within 10 minutes, if the request exceeds 3 times, the graphic verification code is required (that is, the graphic verification code is passed before sending SMS), how will you design and implement it?
After listening to the problem, many students will be able to give a solution idea quickly, roughly described as follows:
** Use Redis KV storage mode, use mobile phone number as Key and Value to record the number of successful SMS sending, and set expiration time of 10min.
Suppose the sending time is as follows:
When applying for sending on 10.07, it was judged that the value of value was 3, and the sending failed. Graphic verification code was required for supplementary verification.
The above logic seems to be fine, but in fact it naturally slices time.
1) According to the above logic, it is OK to send three SMS messages respectively at 10.01, 10.07 and 10.08 within the time period from 10.00 to 10.10.
2) Then in the period from 10.10 to 10.20:10.11, 10.13, 10.15 can also send SMS successfully.
And here’s the problem:
In 10.07, 10.08, 10.11, 10.13, 10.15 this ten minutes, actually sent 5 messages!
This bypasses the need to send more than three times for a graphic verification code, which is obviously unreasonable.
Many candidates fall into a rut when they see the 10-minute limit and the number of times.
So any good ideas for solving this problem?
In this paper, a solution to this problem is provided:
Using Redis List data format; Key: send_MSg_phone ****Value: request timestamp.
Go straight to the implementation code:
/** * Redis User: User * Date: 2021/03/11 * Time: 10:23 */ $key = 'send_msg_xxx'; $listLen = lLen($key); If ($listLen < 3){// Insert the current timestamp at the end of List Lpush($key, now()); } else { $index0Time = Lindex($key); If ((current time - $index0Time) < 10min){// If ((current time - $index0Time) < 10min){// If ((current time - $index0Time) < 10min){ Echo "Too many requests, please try again later." ; exit; Lpush($key, now()); Ltrim($key, 0, 9); }}Copy the codeconclusion
With the increasingly serious impact of security problems, Web security control is a very important topic for researchers.
Through the above questions, WE want to know what people’s cognition of safety prevention and control is, what are the good treatment plans, and what kind of cognition is compared between the advantages and disadvantages of different plans.
After having a good scheme, how to design and implement it? In the specific landing process, what should be added and paid attention to?
.
After a series of open-ended questions, you will have a good idea of the candidate’s ability in this area.
For this kind of problem, this article introduces the jade, I believe you have other ideas to solve the problem, welcome to the comment area to discuss the exchange ~
– END –
Author: the path of architecture improvement, focusing on software architecture research, technical learning and personal growth, attention and private letter I reply “01”, send you a programmer growth advanced gift package, welcome to hook up.
Thanks for reading!