Solved

How To Prevent False Reads From Anti-Flood Protection?

Posted on 2010-09-08
6
697 Views
Last Modified: 2013-11-25
Hello

The below code is for redirecting flood attempts to a flood page I have made.  The only problem with the below coding is that sometimes it gives false positives and redirects to the flood page when there is no flood.  It will do this on such things as loggin in to my site, or posting in the forum at times it will do this. The 0.000001 below is the time set for it.

What adjustments can be made to increase the accuracy of the flood protection?

Thanks
Rob

// anti flood protection
if($_SESSION['last_session_request'] > time() - 0.000001 && !$_SESSION['forum_flood'] && !$ir['forummod'] && !$ir['forumadmin']  && !$ir['forumcoder']){
    // users will be redirected to this page if it makes requests faster than 2 seconds
    header("Location: ../flood.php");
    exit;
}
$_SESSION['last_session_request'] = time();
unset($_SESSION['forum_flood']);
 //end anti flood protection
}	

Open in new window

0
Comment
Question by:showmeurgoods
  • 3
  • 2
6 Comments
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33633451
Please explain a little more... What is the problem you are up against?
0
 

Author Comment

by:showmeurgoods
ID: 33633508
Hello

What the code does is send a member/visitor who is excessively reqeusting pages.  This is a flood prevention code.  The issue is that it gives false positives sometimes.  I've tried to adjust the time to be more accurate, but it has not done it.

Are there any adjustments to the code or to the time, which will stop the false positives?

I know there are similar codes online for anti flood, this one is all good except for the 0.00001 which I've tried to adjust to different times, but seems to still give false redirects.

Thanks
Rob
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 33635957
OK, thanks.  about this: "excessively reqeusting pages" -- are these GET requests or are these POSTS to the forum?  What does the ../flood.php page do?

The PHP time() function should give you an integer that changes every second.  Most humans would not request pages faster than once per second.  But with a little added code, we can get to a rate-limit that is subsecond, and therefore less subject to false positives.

I do not know of any server that would cache the time requests.
<?php // RAY_temp_antiflood.php
error_reporting(E_ALL);


// DEMONSTRATE AN ANTI-FLOOD STRATEGY  - RATE LIMITED USING A TIMER
function too_fast()
{
    // DEFINE USEFUL LOCAL CONSTANTS TO LET $pagetime BE A POSITIVE INTEGER - ADJUST THESE
    define('MY_EPOCH', 2000000000.0);
    define('MY_RATER', 5.0);

    // GET THE PSEUDO PAGE LOAD TIME IN FRACTIONAL SECONDS
    // MAN PAGE: http://us.php.net/manual/en/function.microtime.php#83642
    $pagetime = (int)( (round( microtime(true),1) * MY_RATER) - MY_EPOCH);

    // IF THERE IS A TIME IN THE SESSION, IT IS A REPEAT REQUEST
    if (!empty($_SESSION["pagetime"]))
    {
        // IF THE REPEAT IS TOO SOON AFTER THE LAST PAGE LOAD
        if ($_SESSION["pagetime"] >= $pagetime)
        {
            return TRUE;
        }
    }

    // STORE THE CURRENT PAGE LOAD TIME IN THE SESSION
    $_SESSION["pagetime"] = $pagetime;

    return FALSE;
}


// ALWAYS START SESSION ON EVERY PAGE
session_start();

// TEST THE CLICK-SPEED
if (too_fast()) echo "<br/>TOO FAST" . PHP_EOL;

// PRESENT THE TIMERS
echo '<br/>REALTIME: ' . date('i:s') . ' PAGETIME: ' . number_format($_SESSION["pagetime"]);

// END OF PHP, PUT UP A FORM FOR RAPID TESTING
?>
<form>
<input type="submit" value="CLICK HERE REPEATEDLY" />
</form>

Open in new window

0
 

Author Comment

by:showmeurgoods
ID: 33640538
Hello Ray

The protection is meant redirect any/all over excessive requests to a page. I've been told it will redirect some ddos type attacks also and/or bad bots.  Its placed in the header of both site and forum. (two separate headers).

They forum are post requests, which are submitted via a member.

The flood.php page is just a landing page which tells them that they are over excessively requesting page requests.  Once this is running well, I'll add the option to either redirect to a page of choice via {($set['redirect_page'])} in place of flood.php and I'll add the history recording also on the flood.php page to record in the db the username, date/time, the page the user came from, and set it to count+1 per hit.  Then in the admin area I can make a page to display this info which will provide helpful.

I'm going to try the above later today and I'll report back :)  
Thank you very much for your posting.

Rob
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33641104
Understood.  You should be able to install the code and run it on your server to see what it does.

It will not inoculate against DOS attacks because your server will run out of data pipes - that is the principle issue with denial of service.  But it should be able to limit some bad bots and other scripting attacks.  For good bots, be sure you have the right robots.txt files.
http://www.robotstxt.org/

Best of luck with it, ~Ray
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question