A .NET 4 library to defend websites and web APIs against brute force and Denial-of-service attacks.
.NET Core version also available.
* Protect login, registration, password reset pages against brute force and DOS attacks.
* Block users from performing any action too many times.
* Prevent too many hits from any IP or IP Range.
* Blacklist/Whitelist specific IP, IP range, username, URLs, transactions for a period.
An example scenario is a Bank Login page, where brute force password attempts on user accounts and DOS attack on Login page are a regular event.
Using this library, you can protect login page from brute force attacks, blocking too many usernames from certain IPs,
or too many hits from a range of IP trying to do DOS attack,
or even simple 3 invalid login attempts per username, per 15 mins.
This high performance, very lightweight library protects you from hitting the database too many times on pages and APIs that are prone to attacks, thus lowering web server and database CPU, increasing the scalability of the overall application.
var result = await Hacker.DefendAsync("/Account/LogOn", Request.UserHostAddress);
if (result == Hacker.Result.TooManyHitsFromOrigin)
await Hacker.BlacklistOriginAsync(Request.UserHostAddress, TimeSpan.FromMinutes(10));
else if (result == Hacker.Result.TooManyHitsOnKey)
await Hacker.BlacklistKeyAsync("/Account/LogOn", TimeSpan.FromMinutes(10));
Hacker.DefendAsync("/Account/PasswordReset", Request.UserHostAddress, TimeSpan.FromMinutes(5), 100);
Hacker.DefendAsync("Username" + username, Request.UserHostAddress);
Install-Package HackerSpray -Version 1.2.5
dotnet add package HackerSpray --version 1.2.5
<PackageReference Include="HackerSpray" Version="1.2.5"> <PrivateAssets>all</PrivateAssets> <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets> </PackageReference>
paket add HackerSpray --version 1.2.5
This package is not used by any popular GitHub repositories.