Of Stack

PHP anti attack code upgrade

  • 2020-03-31 21:22:29
  • OfStack
But the last few days have been a lot worse. 90% of the attacks have been impossible to intercept. IP attack and start time Attack number of times place note 125.165.1.42-2010-11-19 02:02:19 - / 10 Indonesia 125.165.26.186-2010-11-19 16:56:45 - / 1846 Indonesia 151.51.238.254-2010-11-19 09:32:40 - / 4581 Italy 151.76.40.182-2010-11-19 11:58:37 - / 4763 Rome, Italy 186.28.125.37-2010-11-19 11:19:22 - / 170 Colombia 186.28.131.122-2010-11-19 11:28:43 - / 22 Colombia 186.28.25.130-2010-11-19 11:30:20 - / 1530 Colombia 188.3.1.108-2010-11-19 02:48:28 - / 1699 Turkey 188.3.1.18-2010-11-19 06:46:01 - / 1358 Turkey 188.3.34.226-2010-11-19 17:07:02 - / 1672 Turkey 190.24.50.228-2010-11-19 12:26:38 - / 2038 Colombia 190.24.83.82-2010-11-19 14:20:10 - / 9169 Colombia 190.25.30.213-2010-11-19 14:00:44 - / 680 Colombia 190.26.29.130-2010-11-19 13:33:11 - / 510 Colombia 190.27.115.101-2010-11-19 13:53:48 - / 340 Colombia 190.27.22.222-2010-11-19 12:16:02 - / 340 Colombia 201.244.113.165-2010-11-19 11:25:55 - / 170 Colombia 201.244.113.47-2010-11-19 11:24:56 - / 147 Colombia 201.244.115.156-2010-11-19 10:13:56 - / 2031 Colombia 201.244.119.228-2010-11-19 13:50:05 - / 170 Colombia 201.245.218.155-2010-11-19 13:30:30 - / 21 Colombia 212.156.185.122-2010-11-19 08:40:36 - / 16158 Turkey 78.160.106.60-2010-11-19 03:31:12 - / 340 Turkey 78.162.67.77-2010-11-19 04:26:24 - / 3595 Turkey Program has been caught 78.175.64.173-2010-11-19 02:00:08 - / 2877 Turkey 78.176.178.76-2010-11-19 06:12:05 - / 2370 Turkey 78.177.2.86-2010-11-19 13:24:29 - / 196 Turkey 78.181.76.51-2010-11-19 16:04:29 - / 600 Turkey 78.184.145.63-2010-11-19 14:30:12 - / 2542 Turkey 78.185.168.24-2010-11-19 09:02:52 - / 3877 Turkey 78.190.79.225-2010-11-19 13:25:22 - / 3300 Turkey 78.190.84.230-2010-11-19 06:51:33 - / 2719 Turkey 78.191.149.47-2010-11-19 08:34:34 - / 8783 Turkey 78.191.233.108-2010-11-19 05:10:48 - / 340 Turkey 78.191.94.126-2010-11-19 04:34:26 - / 3091 Turkey 85.104.231.74-2010-11-19 08:03:53 - / 3500 Turkey 85.104.49.60-2010-11-19 04:47:12 - / 1037 Turkey 85.106.123.116-2010-11-19 13:35:45 - / 68 Turkey 88.224.255.96-2010-11-19 07:18:59 - / 3903 Turkey 88.228.138.65-2010-11-19 02:12:31 - / 396 Turkey 88.228.66.5-2010-11-19 10:44:26 - / 2797 Turkey 88.229.12.40-2010-11-19 06:57:46 - / 6792 Turkey 88.234.193.11-2010-11-19 08:25:42 - / 5895 Turkey 88.236.78.79-2010-11-19 15:01:54 - / 170 Turkey 88.238.26.12-2010-11-19 05:21:46 - / 473 Turkey 88.238.26.154-2010-11-19 05:31:58 - / 1683 Turkey 88.242.124.128-2010-11-19 06:53:56 - / 8401 Turkey 88.242.65.61-2010-11-19 08:38:41 - / 1204 Turkey Program has been caught 94.122.20.157-2010-11-19 09:53:39 - / 1917 Turkey USA Program has been caught 94.54.37.54-2010-11-19 02:44:07 - / 1096 Turkey USA Program has been caught 95.14.1.97-2010-11-19 08:30:10 - / 167 Turkey USA 95.15.248.177-2010-11-19 11:14:54 - / 1454 Turkey USA Program has been caught         A total of 125,008, 172 in 15 seconds, and only 9,266.      

The table is bad enough, our website was attacked 120000 times a day, if let it freeze, will bring the burden of web site of the network effect is obvious, the characteristics of the attack is when an attack is made up of 3-5 different IP at the same time for 3 to 5 times per second attack, combined alone 9-25 times per second, each 1-6 hours in a IP, and IP and the previous record is not repeated. In this way, one is the site memory will suddenly be too large, lit; The second is to bring great instability to the network. Individual IP is blocked has always existed, I have tried to all unblocked, unblocked there are several IP attacks at the same time, even let the site seriously overloaded for a few minutes.

Now, to get started, why don't you stop the new attacks? After research, I found that 90% of the IP USES a new plan of attack: have smart can attack 2 minutes to stop 5 minutes take turns to attack, because my last process parameter is set to 600 seconds/conservative scheme, so, I change the parameters for 120 seconds 120 times of the new scheme, wrong kill rate of 0.5%, through the contrast of the log, I can analyze 120 seconds mistake and have not tried 120 times, 120 seconds more than one page is a freight due to network problem have a refresh for more than 1 back to customer, this is the reason why we trade background is not intelligent.

Finally, thank you for your comments, I will think about your comments. However, I this procedure is only a reference, according to local conditions, is not the best, can only be said to be human nature. Now I send the program again, only changed the time and times parameter, the new parameter has been able to catch 100% of the hackers IP, I tried for two days, caught 62 new IP, or the majority of Turkey.

Anti-ip attack code website ver2.0: 

 
 
<?php 
//Query disable IP
$ip =$_SERVER['REMOTE_ADDR']; 
$fileht=".htaccess2"; 
if(!file_exists($fileht))file_put_contents($fileht,""); 
$filehtarr=@file($fileht); 
if(in_array($ip."rn",$filehtarr))die("Warning:"."<br>"."Your IP address are forbided by Mydalle.com Anti-refresh mechanism, IF you have any question Pls emill to shop@mydalle.com!<br>(Mydalle.com Anti-refresh mechanism is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve.)"); 


//Add forbidden IP
$time=time(); 
$fileforbid="log/forbidchk.dat"; 

if(file_exists($fileforbid)) 
{ if($time-filemtime($fileforbid)>30)unlink($fileforbid); 
else{ 
$fileforbidarr=@file($fileforbid); 
if($ip==substr($fileforbidarr[0],0,strlen($ip))) 
{ 
if($time-substr($fileforbidarr[1],0,strlen($time))>120)unlink($fileforbid); 
elseif($fileforbidarr[2]>120){file_put_contents($fileht,$ip."rn",FILE_APPEND);unlink($fileforbid);} 
else{$fileforbidarr[2]++;file_put_contents($fileforbid,$fileforbidarr);} 
} 
} 
} 

//The refresh
$str=""; 
$file="log/ipdate.dat"; 
if(!file_exists("log")&&!is_dir("log"))mkdir("log",0777); 
if(!file_exists($file))file_put_contents($file,""); 
$allowTime = 60;//Anti-refresh time
$allowNum=5;//Anti-refresh times
$uri=$_SERVER['REQUEST_URI']; 
$checkip=md5($ip); 
$checkuri=md5($uri); 
$yesno=true; 
$ipdate=@file($file); 
foreach($ipdate as $k=>$v) 
{ $iptem=substr($v,0,32); 
$uritem=substr($v,32,32); 
$timetem=substr($v,64,10); 
$numtem=substr($v,74); 
if($time-$timetem<$allowTime){ 
if($iptem!=$checkip)$str.=$v; 
else{ 
$yesno=false; 
if($uritem!=$checkuri)$str.=$iptem.$checkuri.$time."1rn"; 
elseif($numtem<$allowNum)$str.=$iptem.$uritem.$timetem.($numtem+1)."rn"; 
else 
{ 
if(!file_exists($fileforbid)){$addforbidarr=array($ip."rn",time()."rn",1);file_put_contents($fileforbid,$addforbidarr);} 
file_put_contents("log/forbided_ip.log",$ip."--".date("Y-m-d H:i:s",time())."--".$uri."rn",FILE_APPEND); 
$timepass=$timetem+$allowTime-$time; 
die("Warning:"."<br>"."Pls don't refresh too frequently, and wait for ".$timepass." seconds to continue, IF not your IP address will be forbided automatic by Mydalle.com Anti-refresh mechanism!<br>(Mydalle.com Anti-refresh mechanism is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve.)"); 
} 
} 
} 
} 
if($yesno) $str.=$checkip.$checkuri.$time."1rn"; 
file_put_contents($file,$str); 
?>

Related articles: