19 Jan 2003 mglazer   » (Journeyer)

A easy way to prevent security hacks of web data submissions via POST || GET from flood requests or simple Ddos attacks is to use session based submission limits with time intervals.

if ( $_SESSION['count-atmps'] ) {

$_SESSION['count-atmps']++;

} else {

$_SESSION['interval'] = time();

$_SESSION['count-atmps'] = 1;

}

if ($_SESSION['count-atmps'] >= 3 && ( time() - $_SESSION['interval'] ) < 100 ) {

die ( 'To many login attempts, come back later.' );

} else {

if ( ( time() - $_SESSION['interval'] ) > 100 ) {

unset ( $_SESSION['count-atmps'] , $_SESSION['interval'] );

}

}

The above allows for three attempts with a 100 second interval. So, after three attempts the user agent cannot attempt a submissions request again until the 100 second time interval mark has past then they are allowed three more attempts.

A good idea might be to increase the time interval by itself on each time interval unset. This would increase the time interval between allowed submissions attempts. The more the user attempts and is timed out the longer each timeout becomes. For instance, ($int_val+$int_val) = 200; or to grow exponentially you can multiply ($int_val*$int_val) = 10000;

You can of course increase the number of allowed attempts and the time interval. To be strict you can always at some point outright ban the IP from any future attempts.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!