Solved

flood detection

Posted on 2002-03-23
10
639 Views
Last Modified: 2012-05-04
I have a php poll script in my website, and there's some idiot that uses some Perl/Java/script kiddie tool to post the script in a loop and manipulate the poll results.
How can I detect his flood through the script and ignore the post?
Until now the script would plant a cookie when you vote and if you try to vote again it would check if the cookie exists and if so it will ignore the vote, because the flooder uses some tool and not a browser the cookie is not planted...
The flooder uses more than one shell account to run his posting script so the IP's are different.

What can I do to detect the flooder and ignore him?
0
Comment
Question by:socket9001
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 5

Accepted Solution

by:
dkjariwala earned 300 total points
Comment Utility
There can not be 100% fullproof way.
But few things you can try,

Ok, users need to create an account with an email not in the database. The person also has to verify this email to become a member.
You need to be a member to vote in the poll.

The poll script logs ip, and it won't allow voting from the same ip for next 10 minutes. [You have to do this cause IP doesnt remain same all the time for users.]

It also uses cookies.


So to vote more than once, the person has to create a new account with a new email (and have to create a new email account if they don't have others), and then go to that email to verify.
The person has to change his ip.
He has to delete his cookies if he had the cookie option on. He has to log out or close the browser to clear his sessions, log in to his new account, and vote.

That is the best you can do to avoid flooding.

JD
0
 
LVL 5

Expert Comment

by:andriv
Comment Utility
Excellent idea with having to verify e-mail JD!!! This way they can't just register using just any e-mail just for the sake of gaining access!! They have to apply then reply to the auto emial to become a member then you can limit each email to one vote a day.

Good Job JD.
0
 
LVL 5

Expert Comment

by:dkjariwala
Comment Utility
Thx Andriv.

JD
0
 
LVL 40

Expert Comment

by:RQuadling
Comment Utility
Just to clear something in my own mind ...

1 - The user comes to the site, wishing to register and enters username/password/email address.

2 - The registration process sends out an email telling them to enter a code (which is logged against with the email address).

3 - The user then has a confirmed account.

They have to login to your site to vote (members only sort of thing).

When they have voted, you could log their account ID against the vote, so you can instantly stop them from multiple voting, or allow them to amend their vote (wouldn't that be great in the real world?!? You don't like your president/prime minister/whoever and you can change your mind retrospectively! Ha!).

That looks quite secure. Did I miss anything?

Regards,

Richard Quadling.
0
 
LVL 5

Expert Comment

by:dkjariwala
Comment Utility
Thats precisely what you should be doing.

All the best,
JD
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:andriv
Comment Utility
It doesn't even have to be a code, if they respond to the e-mail then you know it is there own and the registration is completed.

Now that they are registered they only can have one vote per day for that paticular e-mail address.

Experts-exchange does it as well.  In order for you registration to be completed and before you can gain access you must confirm to the auto-email they send you.

No one can register with a fake e-mail address. Sure people can register many e-mail address for the sake of registering but that is forcing them to do a lot more work to manipulate the system and their program must enter each email address only once. So if they wanted their program to do multiple vote submission they can only do it once for each account.
0
 
LVL 5

Expert Comment

by:LexZEUS
Comment Utility
poll flooding..

one way is to use session to prevent flooding..

Main.php -> to display the poll
<?
session_start();
session_register("pool_id");
// the poll id
$poll_id = 123;

// display the poll ..
include("PollDisplay.php");
?>

SubmitPool.php -> to submit the poll
<?
session_start();
// take poll_id from session, since there is possibility
// that user hardcode poll_id=xxx in url
if ($HTTP_VAR_SESSION["poll_id"]=="")
   {
   header("Location: Main.php");
   print "Ah.. you never visit the first page!\n";
   exit;
   }

// assuming poll_id taken from session is 123
// check whether variable $make_choice_already_for_123
// is valued with "yes" or not:
session_register("make_choice_already_for_".$poll_id);
if (${"make_choice_already_for_".$poll_id} == "yes")
   {
   die ("You have participated in poll before!");
   }

// mark current user already participated in poll 123
${"make_choice_already_for_".$poll_id} = "yes";
include("PollProcess.php");
?>


Ideally you can *ONLY* submit your choice *IF* you have seen the poll. Then we can *assume* that user *MUST* go to Main.php before submit the poll.
You can combine this code with your setCookie to prevent user to reparticipate in poll in the next hours/day (as the session expired). User can delete your cookie though, but this mechanism make flooding harder: you will have to go to first page with new session in order you can participate in poll..
0
 
LVL 5

Expert Comment

by:LexZEUS
Comment Utility
in my last sentence:
you will have to go to first page with new session in order you can participate in poll..

what i mean is:
Someone will have to access the first page (with new session) in order to participate in poll.

rgds,

Alex
0
 

Expert Comment

by:ibishop
Comment Utility
I guess it depends on whether you're taking a semi-anonymous poll, or one where the vote is clearly identifiable to an account.

For identifiable - the above work great.

For semi-anonymous, I generally create a composite string, comprising The IP Address, the Date part of the timestamp, and something else (for example, the name of the poll), structured similar to :

MyPoll-192.168.0.11-20020327

By inserting that into a field requiring Unique values, you can limit to one vote per IP per Poll per Day.

This does have some limitations with proxy servers etc., but is pretty effective - I've only ever had a limited number of complaints regarding my semi-anonymous polls using this method.

Best regards,

Ian
0
 
LVL 5

Expert Comment

by:LexZEUS
Comment Utility
if you will use date approach you may synchronize it with GMT for you may reside in US, whereas I am in Asia Pacific :) ..


>MyPoll-192.168.0.11-20020327

192.168.xxx.xxx?? You are globalsources people! OMG!!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now