Here is some modifed session click tracking attack blocking.
session_start ( );session_name ( 'hack_block' );
$time_interval = 10;
$strikes = 3;
$pageviews = 10;
if ( $_SESSION['banned'] == 1 ) die ( 'You are banned!' );
if ( $_SESSION['pageviews'] ) {
$_SESSION['pageviews']++;
} else {
$_SESSION['time'] = time ( );
$_SESSION['pageviews'] = 1;
}
if ( $_SESSION['pageviews'] >= $pageviews && ( time ( ) - $_SESSION['time'] ) <= $time_interval ) {
if ( $_SESSION['strikes'] ) {
if ( $_SESSION['strikes'] >= $strikes ) {
$_SESSION['banned'] = 1;
} else {
$_SESSION['strikes']++;
}
} else {
$_SESSION['strikes'] = 1;
}
die ( 'Too many requests.' );
}
if ( ( time ( ) - $_SESSION['time'] ) > $time_interval ) {
unset ( $_SESSION['time'] , $_SESSION['pageviews'] );
}
Haven't tried it yet but it should work.
Remember, this is sessions based which means single user based tracking which cannot track a concerted effort by multiple computers.
You always check the system's CPU use levels for flood requests.