Dynamic blocking of suspicious electronic submissions

摘要

Attacks from automated scripts or processes, such as Web bots, can be dynamically blocked by monitoring dimensions of requests or submissions received by a system. Each host receiving requests can log information about the requests over a specified period of time. For each period of time, specified dimensions of the requests for that host can be analyzed to determine whether the number of requests having a common value for any of those dimensions meets or exceeds a specified threshold. If so, any requests having those specified dimension values can be automatically blocked for the next specified period of time. The requests can be automatically unblocked after that period of time if the requests do not again meet or exceed the threshold, but can be dynamically blocked for subsequent periods of time if the threshold is again met or exceeded.

主权项

1. A computer-implemented method, comprising:
determining, by a computer system, respective configuration information for a host of a plurality of hosts associated with an electronic marketplace, the host operable to receive requests and the respective configuration information indicating at least one dimension to be monitored, a monitoring period length, and at least one threshold corresponding to the at least one dimension; receiving, by the host, a plurality of requests over a first monitoring period corresponding to the monitoring period length, the plurality of requests indicating one or more items to be stored in a data repository associated with the electronic marketplace; for the plurality of requests, update query logs for the first monitoring period, individual query logs associated with individual hosts of the plurality of hosts and including dimension information associated with the plurality of requests; determining based on the query logs, by the computer system, one or more subsets of the plurality of requests that share a common value at least meeting a threshold for a dimension associated with the host, the threshold identified by the respective configuration information; and for individual subsets of the plurality of requests determined to share the common value at least meeting the threshold, blocking, by the computer system, requests having the common value from being processed on the host during a second monitoring period, wherein other subsets of the plurality of requests determined to share the common value at least meeting the threshold are processed by other hosts of the plurality of hosts during the second monitoring period.