HaveIBeenPwned?

Troy Hunt 使用 Cloudflare 保护他的网站和 API,以确保人们的在线安全。

Troy Hunt is a Microsoft Regional Director and an independent Internet security researcher. He is well known for both his Internet security blog www.troyhunt.com, and his HaveIBeenPwned (HIBP) service, which aggregates data breaches and helps people establish if they've been impacted by malicious activity on the web. Hunt's goal is to help as many people as possible with his knowledge and service.

Troy Hunt's Challenge: Helping People Without Enabling the Bad Guys

资源有限时,帮助尽可能多的人可能会很困难。Hunt 面临的主要挑战是管理其在 Microsoft Azure 基础设施上运行的网站和 API 的流量峰值。这些峰值会导致性能问题,增加带宽成本,并导致服务停止,从而让人们对其服务失去信心(而信任和诚信对服务至关重要)。当大型组织遭遇的数据泄露事件受到高度关注时(例如最近的 Ashley Madison 和 Dropbox 泄露事件),Hunt 的 HIBP 服务会经历流量激增。根据 Hunt 的说法,这些流量峰值大量占用 CPU,导致性能降低,直到造成延迟。当流量稳定增加时,Azure 的自动负载处理功能 Autoscale 可以高效工作,但是当流量突然爆表时,性能会受到很大影响。”这些流量峰值不仅意味着性能损失,由于 Autoscale 会按需调整以适应负载,峰值还直接影响 Hunt 需支付的费用金额。

此外,Hunt 还担心某些行为者恶意使用 HIBP 的 API。Hunt 创建 API 是为了帮助人们确认是否受到数据泄露的影响。他解释说:“最近有各种各样的指标表明,人们使用 API 的使用方式与我的初心不符……我不想看到这种情况继续下去。”

因此,Hunt 开始寻找解决方案,以便在出现流量峰值时,能够维持网络性能并降低成本,同时防止有人滥用其 API。

Troy Hunt's Solution: Rate Limiting Malicious Actors

Troy Hunt found a single solution for his multiple requirements in Cloudflare's Rate Limiting service. Rate Limiting helps Hunt manage traffic spikes by allowing him to set a limit on the number of requests from individual IP addresses that respectively hit his websites and API over a given period of time. Rate limiting prevents spikes in traffic from reducing performance because each unique user is limited to a certain number of requests. Hunt has set this limit such that normal users don't see any change in service, while people abusing Hunt's websites and API get throttled ensuring that his API stays high performing and reliable for legitimate traffic, while abusers are prevented and blocked. Hunt applauded, "You have made the entire site more stable, faster for legitimate users, and more secure while reducing my costs."

Related Case Studies
Key Results

Rate Limiting 可防止恶意行为者滥用 HIBP 的 API

基础设施成本节省 90%

直接通过 Cloudflare 高速缓存提供 99.5% 的请求内容

Rate Limiting 确保我可以继续以可靠、成本高效且合乎道德的方式提供服务。

Troy Hunt