Older blog entries for mglazer (starting at number 389)

Here is some modifed session click tracking attack blocking.

session_start ( );

 session_name ( 'hack_block' );

 $time_interval	=	10;

 $strikes	=	3;

 $pageviews	=	10;


 if ( $_SESSION['banned'] == 1 ) die ( 'You are banned!' );


 if ( $_SESSION['pageviews'] ) {

 	$_SESSION['pageviews']++;

 } else {

 	$_SESSION['time']	=	time ( );

 	$_SESSION['pageviews']	=	1;

 }


 if ( $_SESSION['pageviews'] >= $pageviews && ( time ( ) - $_SESSION['time'] ) <= $time_interval ) {

 	if ( $_SESSION['strikes'] ) {

 		if ( $_SESSION['strikes'] >= $strikes ) {

 			$_SESSION['banned']	=	1;


 		} else {

 			$_SESSION['strikes']++;

 		}

 	} else {

 		$_SESSION['strikes']	=	1;

 	}

 	die ( 'Too many requests.' );

 }

 if ( ( time ( ) - $_SESSION['time'] ) > $time_interval ) {

 	unset ( $_SESSION['time'] , $_SESSION['pageviews'] );

 }

Haven't tried it yet but it should work.

Remember, this is sessions based which means single user based tracking which cannot track a concerted effort by multiple computers.

You always check the system's CPU use levels for flood requests.

I was thinking about what would be the perfect number of clicks per time interval that could be seens as an attacker.

Would 10 clicks in 10 seconds be overzealous?

Let's say, that if a user agent clicked ten times on your site within ten seconds should that be seen as hostile?

For now let's say yes, 10 clicks (pageviews not hits) within ten seconds is a hostile act, you store thier IP adde and block any future clicks would this be enough and would it interfere with regular freindlies?

An easy solution to halt but not block is to use timed banning of IPs.

so, if a agent has clicked 10 pageviews within 10 seconds he is halted by his IP for another 10 seconds. After the ten second freeze is up he gains access again but is marked as a first strike offender. If the abuse continue (three strikes and your out) eventually you outright ban the IP.

In summary, you use sessions to count pageviews per 10 seconds. If within a 10 second time interval 10 pageviews are clicked we halt that IP for another time interval period and mark him as a first time offender. When the halt time interval period is up the marked first offender is allowed in. By the third offense that IP is banned.

This is obviosuly a simple hack to prevent simple attacks, Sessions clearly do not take into accottn a concerted attack effort by more than one user agent. To track multiple users as a concert you have to use server side tracking that is not single user based such as sessions.

<hr />

I have finished by web admin shell UI templator. It uses 4 of my new templating tool classes.

1. The new simple template parser (only variable interpolation no dynamic macros)

2. Template layout control (uses table blocks and placeholder mappings) to accelerate template building.

3. Template sets (themes)

4. Template compiler class for the simple template parser class.

It's initial release will be for PHPortal-XPC lite 2.0.

The XPC package release will feature compiled templates, a basic administration UI of templates and the PHP class components referenced in the XPC templates.

I am also throwing in a PHP client side caching function which basically reloads the user's cache, if it exists, of the page requested if it has not changed from the user's cache.

The above all dramatically increases user load time at a phenomenal rate.

<hr />

My next project is one of two.

Either I will tackle the PHP code to binary and back to PHP using PGP style passphrases with public and private keys or my transactional emulation project.

The trans emul should be fun. It basically allows for saving changes, commiting changes, and rolling back changes on a object using simple logic and flat file temporary caches.

The basic idea of trans emul is to create two versions of an object and to cache each change along the way. Changes affect one version the user sees while rollbacks use the cached versions. Implementing file locking and version control beyond that is pretty easy as well.

WxPython Rules!

A easy way to prevent security hacks of web data submissions via POST || GET from flood requests or simple Ddos attacks is to use session based submission limits with time intervals.

if ( $_SESSION['count-atmps'] ) {

 	$_SESSION['count-atmps']++;

 } else {

 	$_SESSION['interval']	= time();

 	$_SESSION['count-atmps'] = 1;

 }

 if ($_SESSION['count-atmps'] >= 3 && ( time() - $_SESSION['interval'] ) < 100 ) {

 	die ( 'To many login attempts, come back later.' );

 } else {

 	if ( ( time() - $_SESSION['interval'] ) > 100 ) {

 		unset ( $_SESSION['count-atmps'] , $_SESSION['interval'] );

 	}


 }

The above allows for three attempts with a 100 second interval. So, after three attempts the user agent cannot attempt a submissions request again until the 100 second time interval mark has past then they are allowed three more attempts.

A good idea might be to increase the time interval by itself on each time interval unset. This would increase the time interval between allowed submissions attempts. The more the user attempts and is timed out the longer each timeout becomes. For instance, ($int_val+$int_val) = 200; or to grow exponentially you can multiply ($int_val*$int_val) = 10000;

You can of course increase the number of allowed attempts and the time interval. To be strict you can always at some point outright ban the IP from any future attempts.

After lots of testing and versions I am finally going to make an initial attempt at utilizing my Object Model Array (OMA) and a application controller I specifically wrote for generic web based administration UIs, in PHP of course!

The first use is a simple admin for my PHP replication of JSP call Xpc (eXtensible Page Creation).

This minimal web admin UI for Xpc will have a secure login, allow for the management of the URI object based templates (add, edt, delete...), and the management of the PHP class components (add, edt, delete...).

I'm sure you can imagine the OMA already:

XPC Management

Template Management

View All

View Selected

Edit Selected

Save Edit

As New

As Old

Component Management

View All

View Selected

Edit Selected

Save Edit

As New

As Old

The design will be one of these:

First Web Admin Shell UI

Second Web Admin Shell UI

The templating parser and other templating classes for the admin is new and it will not use the Xpc templating schema.

It will be using a much simpler template parser as well as its own template compiler, a template layout control class, a template sets (themes) class...

I also need to write a new compiler for the Document Objects in PHPortal. Document Objects use my same tag parser class as Xpc and the Method Object does but it uses different tools for interpretation. Since the Document is a Object contianer it can recursivley call other PHPortal URI objects, therefore its compiled state must keep that in mind as well as all of its other allowed tags, eegads!

As a matter of fact I will NOT be creating a Document Object compiler until all of its allowed functionality is slowly removed or simplified. As of now you can use Documents as templates, object containers and more, this is not good and most of this should be removed. It should not be allowed to contain template tags (meaning curly braces vars and dynamic macro blocks). Only a template object should. A Documetn Object should only allow and only interpret <XPC:VAR name="attr"/> and <XPC:ObjectName arg1name="arg1val" />. So, this last bit will be on the back burner for now.

Sidenote:

PHPortal now allow spaces in arguments and Object names to be called by Xpc reference tags inline by using the space urlencoding of 20%. Suits it well since PHPortal Objects are URIs. Except, calling them inline allows for greater flex.

Heres a noticable trend or action flow:

Create text Template, parse template, compile template, convert compiled template into binary, convert and execute binary. Thats alotta work but all are important stages.

Client Python UIs here I come!

Cool!

http://dev.4arrow.com.crazy.sytes.net/

- by http://crazy.sytes.net/