flood detection

Posted on 2002-03-23
Medium Priority
Last Modified: 2012-05-04
I have a php poll script in my website, and there's some idiot that uses some Perl/Java/script kiddie tool to post the script in a loop and manipulate the poll results.
How can I detect his flood through the script and ignore the post?
Until now the script would plant a cookie when you vote and if you try to vote again it would check if the cookie exists and if so it will ignore the vote, because the flooder uses some tool and not a browser the cookie is not planted...
The flooder uses more than one shell account to run his posting script so the IP's are different.

What can I do to detect the flooder and ignore him?
Question by:socket9001
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2

Accepted Solution

dkjariwala earned 1200 total points
ID: 6890563
There can not be 100% fullproof way.
But few things you can try,

Ok, users need to create an account with an email not in the database. The person also has to verify this email to become a member.
You need to be a member to vote in the poll.

The poll script logs ip, and it won't allow voting from the same ip for next 10 minutes. [You have to do this cause IP doesnt remain same all the time for users.]

It also uses cookies.

So to vote more than once, the person has to create a new account with a new email (and have to create a new email account if they don't have others), and then go to that email to verify.
The person has to change his ip.
He has to delete his cookies if he had the cookie option on. He has to log out or close the browser to clear his sessions, log in to his new account, and vote.

That is the best you can do to avoid flooding.


Expert Comment

ID: 6891808
Excellent idea with having to verify e-mail JD!!! This way they can't just register using just any e-mail just for the sake of gaining access!! They have to apply then reply to the auto emial to become a member then you can limit each email to one vote a day.

Good Job JD.

Expert Comment

ID: 6891963
Thx Andriv.

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

LVL 40

Expert Comment

by:Richard Quadling
ID: 6894427
Just to clear something in my own mind ...

1 - The user comes to the site, wishing to register and enters username/password/email address.

2 - The registration process sends out an email telling them to enter a code (which is logged against with the email address).

3 - The user then has a confirmed account.

They have to login to your site to vote (members only sort of thing).

When they have voted, you could log their account ID against the vote, so you can instantly stop them from multiple voting, or allow them to amend their vote (wouldn't that be great in the real world?!? You don't like your president/prime minister/whoever and you can change your mind retrospectively! Ha!).

That looks quite secure. Did I miss anything?


Richard Quadling.

Expert Comment

ID: 6894434
Thats precisely what you should be doing.

All the best,

Expert Comment

ID: 6894448
It doesn't even have to be a code, if they respond to the e-mail then you know it is there own and the registration is completed.

Now that they are registered they only can have one vote per day for that paticular e-mail address.

Experts-exchange does it as well.  In order for you registration to be completed and before you can gain access you must confirm to the auto-email they send you.

No one can register with a fake e-mail address. Sure people can register many e-mail address for the sake of registering but that is forcing them to do a lot more work to manipulate the system and their program must enter each email address only once. So if they wanted their program to do multiple vote submission they can only do it once for each account.

Expert Comment

ID: 6901845
poll flooding..

one way is to use session to prevent flooding..

Main.php -> to display the poll
// the poll id
$poll_id = 123;

// display the poll ..

SubmitPool.php -> to submit the poll
// take poll_id from session, since there is possibility
// that user hardcode poll_id=xxx in url
if ($HTTP_VAR_SESSION["poll_id"]=="")
   header("Location: Main.php");
   print "Ah.. you never visit the first page!\n";

// assuming poll_id taken from session is 123
// check whether variable $make_choice_already_for_123
// is valued with "yes" or not:
if (${"make_choice_already_for_".$poll_id} == "yes")
   die ("You have participated in poll before!");

// mark current user already participated in poll 123
${"make_choice_already_for_".$poll_id} = "yes";

Ideally you can *ONLY* submit your choice *IF* you have seen the poll. Then we can *assume* that user *MUST* go to Main.php before submit the poll.
You can combine this code with your setCookie to prevent user to reparticipate in poll in the next hours/day (as the session expired). User can delete your cookie though, but this mechanism make flooding harder: you will have to go to first page with new session in order you can participate in poll..

Expert Comment

ID: 6901856
in my last sentence:
you will have to go to first page with new session in order you can participate in poll..

what i mean is:
Someone will have to access the first page (with new session) in order to participate in poll.



Expert Comment

ID: 6901941
I guess it depends on whether you're taking a semi-anonymous poll, or one where the vote is clearly identifiable to an account.

For identifiable - the above work great.

For semi-anonymous, I generally create a composite string, comprising The IP Address, the Date part of the timestamp, and something else (for example, the name of the poll), structured similar to :


By inserting that into a field requiring Unique values, you can limit to one vote per IP per Poll per Day.

This does have some limitations with proxy servers etc., but is pretty effective - I've only ever had a limited number of complaints regarding my semi-anonymous polls using this method.

Best regards,


Expert Comment

ID: 6901949
if you will use date approach you may synchronize it with GMT for you may reside in US, whereas I am in Asia Pacific :) ..


192.168.xxx.xxx?? You are globalsources people! OMG!!

Featured Post

WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question