Learn how to a build a cloud-first strategyRegister Now


flood detection

Posted on 2002-03-23
Medium Priority
Last Modified: 2012-05-04
I have a php poll script in my website, and there's some idiot that uses some Perl/Java/script kiddie tool to post the script in a loop and manipulate the poll results.
How can I detect his flood through the script and ignore the post?
Until now the script would plant a cookie when you vote and if you try to vote again it would check if the cookie exists and if so it will ignore the vote, because the flooder uses some tool and not a browser the cookie is not planted...
The flooder uses more than one shell account to run his posting script so the IP's are different.

What can I do to detect the flooder and ignore him?
Question by:socket9001
  • 3
  • 3
  • 2
  • +2

Accepted Solution

dkjariwala earned 1200 total points
ID: 6890563
There can not be 100% fullproof way.
But few things you can try,

Ok, users need to create an account with an email not in the database. The person also has to verify this email to become a member.
You need to be a member to vote in the poll.

The poll script logs ip, and it won't allow voting from the same ip for next 10 minutes. [You have to do this cause IP doesnt remain same all the time for users.]

It also uses cookies.

So to vote more than once, the person has to create a new account with a new email (and have to create a new email account if they don't have others), and then go to that email to verify.
The person has to change his ip.
He has to delete his cookies if he had the cookie option on. He has to log out or close the browser to clear his sessions, log in to his new account, and vote.

That is the best you can do to avoid flooding.


Expert Comment

ID: 6891808
Excellent idea with having to verify e-mail JD!!! This way they can't just register using just any e-mail just for the sake of gaining access!! They have to apply then reply to the auto emial to become a member then you can limit each email to one vote a day.

Good Job JD.

Expert Comment

ID: 6891963
Thx Andriv.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 40

Expert Comment

by:Richard Quadling
ID: 6894427
Just to clear something in my own mind ...

1 - The user comes to the site, wishing to register and enters username/password/email address.

2 - The registration process sends out an email telling them to enter a code (which is logged against with the email address).

3 - The user then has a confirmed account.

They have to login to your site to vote (members only sort of thing).

When they have voted, you could log their account ID against the vote, so you can instantly stop them from multiple voting, or allow them to amend their vote (wouldn't that be great in the real world?!? You don't like your president/prime minister/whoever and you can change your mind retrospectively! Ha!).

That looks quite secure. Did I miss anything?


Richard Quadling.

Expert Comment

ID: 6894434
Thats precisely what you should be doing.

All the best,

Expert Comment

ID: 6894448
It doesn't even have to be a code, if they respond to the e-mail then you know it is there own and the registration is completed.

Now that they are registered they only can have one vote per day for that paticular e-mail address.

Experts-exchange does it as well.  In order for you registration to be completed and before you can gain access you must confirm to the auto-email they send you.

No one can register with a fake e-mail address. Sure people can register many e-mail address for the sake of registering but that is forcing them to do a lot more work to manipulate the system and their program must enter each email address only once. So if they wanted their program to do multiple vote submission they can only do it once for each account.

Expert Comment

ID: 6901845
poll flooding..

one way is to use session to prevent flooding..

Main.php -> to display the poll
// the poll id
$poll_id = 123;

// display the poll ..

SubmitPool.php -> to submit the poll
// take poll_id from session, since there is possibility
// that user hardcode poll_id=xxx in url
if ($HTTP_VAR_SESSION["poll_id"]=="")
   header("Location: Main.php");
   print "Ah.. you never visit the first page!\n";

// assuming poll_id taken from session is 123
// check whether variable $make_choice_already_for_123
// is valued with "yes" or not:
if (${"make_choice_already_for_".$poll_id} == "yes")
   die ("You have participated in poll before!");

// mark current user already participated in poll 123
${"make_choice_already_for_".$poll_id} = "yes";

Ideally you can *ONLY* submit your choice *IF* you have seen the poll. Then we can *assume* that user *MUST* go to Main.php before submit the poll.
You can combine this code with your setCookie to prevent user to reparticipate in poll in the next hours/day (as the session expired). User can delete your cookie though, but this mechanism make flooding harder: you will have to go to first page with new session in order you can participate in poll..

Expert Comment

ID: 6901856
in my last sentence:
you will have to go to first page with new session in order you can participate in poll..

what i mean is:
Someone will have to access the first page (with new session) in order to participate in poll.



Expert Comment

ID: 6901941
I guess it depends on whether you're taking a semi-anonymous poll, or one where the vote is clearly identifiable to an account.

For identifiable - the above work great.

For semi-anonymous, I generally create a composite string, comprising The IP Address, the Date part of the timestamp, and something else (for example, the name of the poll), structured similar to :


By inserting that into a field requiring Unique values, you can limit to one vote per IP per Poll per Day.

This does have some limitations with proxy servers etc., but is pretty effective - I've only ever had a limited number of complaints regarding my semi-anonymous polls using this method.

Best regards,


Expert Comment

ID: 6901949
if you will use date approach you may synchronize it with GMT for you may reside in US, whereas I am in Asia Pacific :) ..


192.168.xxx.xxx?? You are globalsources people! OMG!!

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The title says it all. Writing any type of PHP Application or API code that provides high throughput, while under a heavy load, seems to be an arcane art form (Black Magic). This article aims to provide some general guidelines for producing this typ…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month21 days, 6 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question