IP attack upgrade and Program Improvement to deal with new attacks

Source: Internet
Author: User

However, these attacks have suddenly become terrible in recent days, and 90% of the attacks cannot be blocked. Please refer to the daily statistics:
IP attack and start time Attack Count location remarks
125.165.1.42 -- 02:02:19 --/10 Indonesia
125.165.26.186 -- 16:56:45 --/1846 Indonesia
151.51.238.254 -- 09:32:40 --/4581 Italy
151.76.40.182 -- 11:58:37 --/4763 Rome, Italy
186.28.125.37 -- 11:19:22 --/170 MBIA
186.28.131.122 -- 11:28:43 --/22 MBIA
186.28.25.130 -- 11:30:20 --/1530 MBIA
188.3.1.108 -- 02:48:28 --/1699 Turkey
188.3.1.18 -- 06:46:01 --/1358 Turkey
188.3.34.226 -- 17:07:02 --/1672 Turkey
190.24.50.228 -- 12:26:38 --/2038 MBIA
190.24.83.82 -- 14:20:10 --/9169 MBIA
190.25.30.213 -- 14:00:44 --/680 MBIA
190.26.29.130 -- 13:33:11 --/510 MBIA
190.27.115.101 -- 13:53:48 --/340 MBIA
190.27.22.222 -- 12:16:02 --/340 MBIA
201.244.113.165 -- 11:25:55 --/170 MBIA
201.244.113.47 -- 11:24:56 --/147 MBIA
201.244.115.156 -- 10:13:56 --/2031 MBIA
201.244.119.228 -- 13:50:05 --/170 MBIA
201.245.218.155 -- 13:30:30 --/21 MBIA
212.156.185.122 -- 08:40:36 --/16158 Turkey
78.160.106.60 -- 03:31:12 --/340 Turkey
78.162.67.77 -- 04:26:24 --/3595 Turkish program caught
78.175.64.173 -- 02:00:08 --/2877 Turkey
78.176.178.76 -- 06:12:05 --/2370 Turkey
78.177.2.86 -- 13:24:29 --/196 Turkey
78.181.76.51 -- 16:04:29 --/600 Turkey
78.184.145.63 -- 14:30:12 --/2542 Turkey
78.185.168.24 -- 09:02:52 --/3877 Turkey
78.190.79.225 -- 13:25:22 --/3300 Turkey
78.190.84.230 -- 06:51:33 --/2719 Turkey
78.191.149.47 -- 08:34:34 --/8783 Turkey
78.191.233.108 -- 05:10:48 --/340 Turkey
78.191.94.126 -- 04:34:26 --/3091 Turkey
85.104.231.74 -- 08:03:53 --/3500 Turkey
85.104.49.60 -- 04:47:12 --/1037 Turkey
85.106.123.116 -- 13:35:45 --/68 Turkey
88.224.000096 -- 07:18:59 --/3903 Turkey
88.228.138.65 -- 02:12:31 --/396 Turkey
88.228.66.5 -- 10:44:26 --/2797 Turkey
88.229.12.40 -- 06:57:46 --/6792 Turkey
88.234.193.11 -- 08:25:42 --/5895 Turkey
88.236.78.79 -- 15:01:54 --/170 Turkey
88.238.26.12 -- 05:21:46 --/473 Turkey
88.238.26.154 -- 05:31:58 --/1683 Turkey
88.242.124.128 -- 06:53:56 --/8401 Turkey
88.242.65.61 -- 08:38:41 --/1204 Turkish program caught
94.122.109157 -- 09:53:39 --/1917 the Turkish American program has been arrested
94.54.37.54 -- 02:44:07 --/1096 the Turkish American program has been arrested
95.14.1.97 -- 08:30:10 --/167 Turkey United States
95.15.248.177 -- 11:14:54 --/1454 Turkish American program caught
A total of 125008 times, 172 times faster than 15 seconds, only 9266 times.
This table is bad enough. Our website has been attacked for as many as 0.12 million times a day. If we let it go, the network speed impact on the website will be obvious, this attack is characterized by 3-5 different IP addresses simultaneously attacking at a speed of 3-5 times per second during each attack. In total, the attack reaches 9-25 times per second, change the IP address once every 1-6 hours, and the IP address and the previous record are not repeated. In this way, the website memory will suddenly be too large and the lights will be on; the second is to bring great instability to the network. Some IP addresses have been blocked for a long time. I tried to unseal them all. When I unseal them, several IP addresses are simultaneously attacked, which may even overload the website for several minutes.
Now, why can't new attacks be blocked? After research, I found that the 90% IP addresses adopt a new attack scheme: the smart attack can take turns from 2 minutes to 5 minutes, because my previous program parameter was set to a conservative solution of 600 s/period, I changed the parameter to a new solution of 120 s and 120 times, with an error kill rate of less than 0.5%, after log comparison, I can find that 120 million false positives in 120 seconds have never been tried, once every 120 seconds, there is only one freight page. Due to network problems, a customer refresh the page one more time. This is the reason why our transaction background is not intelligent enough.
Finally, I would like to thank you for your comments. However, my program is just a reference, and it is not the best to adapt to local conditions. It can only be said to be humanized. Now I re-Send the program, and only changed the time parameter. The new parameter can capture those hacker IP addresses by 100%. I tried it for two days and captured 62 new IP addresses, most of them are still in Turkey.
Website Anti-IP attack code (Anti-IP attack code website) ver2.0: Copy codeThe Code is as follows :/*
* Website Anti-IP attack code (Anti-IP attack code website) 2010-11-20, Ver2.0
* Mydalle.com Anti-refresh mechanic
* Design by www.mydalle.com
*/
<? Php
// Query the forbidden IP Address
$ Ip = $ _ SERVER ['remote _ ADDR '];
$ Fileht = ". htaccess2 ";
If (! File_exists ($ fileht) file_put_contents ($ fileht ,"");
$ Filehtarr = @ file ($ fileht );
If (in_array ($ ip. "\ r \ n", $ filehtarr) die ("Warning :". "<br> ". "Your IP address are forbided by Mydalle.com Anti-refresh mechanic, IF you have any question Pls emill to shop@mydalle.com! <Br> (Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");

// Add a prohibited IP Address
$ Time = time ();
$ Fileforbid = "log/forbidchk. dat ";
If (file_exists ($ fileforbid ))
{If ($ time-filemtime ($ fileforbid)> 30) unlink ($ fileforbid );
Else {
$ Fileforbidarr = @ file ($ fileforbid );
If ($ ip = substr ($ fileforbidarr [0], 0, strlen ($ ip )))
{
If ($ time-substr ($ fileforbidarr [1], 0, strlen ($ time)> 120) unlink ($ fileforbid );
Elseif ($ fileforbidarr [2]> 120) {file_put_contents ($ fileht, $ ip. "\ r \ n", FILE_APPEND); unlink ($ fileforbid );}
Else {$ fileforbidarr [2] ++; file_put_contents ($ fileforbid, $ fileforbidarr );}
}
}
}
// Anti-Refresh
$ Str = "";
$ File = "log/ipdate. dat ";
If (! File_exists ("log ")&&! Is_dir ("log") mkdir ("log", 0777 );
If (! File_exists ($ file) file_put_contents ($ file ,"");
$ AllowTime = 60; // anti-Refresh time
$ AllowNum = 5; // number of anti-Refresh attempts
$ Uri = $ _ SERVER ['request _ URI '];
$ Checkip = md5 ($ ip );
$ Checkuri = md5 ($ uri );
$ Yesno = true;
$ Ipdate = @ file ($ file );
Foreach ($ ipdate as $ k => $ v)
{$ Iptem = substr ($ v, 0, 32 );
$ Uritem = substr ($ v, 32, 32 );
$ Timetem = substr ($ v, 64, 10 );
$ Numtem = substr ($ v, 74 );
If ($ time-$ timetem <$ allowTime ){
If ($ iptem! = $ Checkip) $ str. = $ v;
Else {
$ Yesno = false;
If ($ uritem! = $ Checkuri) $ str. = $ iptem. $ checkuri. $ time. "1 \ r \ n ";
Elseif ($ numtem <$ allowNum) $ str. = $ iptem. $ uritem. $ timetem. ($ numtem + 1). "\ r \ n ";
Else
{
If (! File_exists ($ fileforbid) {$ addforbidarr = array ($ ip. "\ r \ n", time (). "\ r \ n", 1); file_put_contents ($ fileforbid, $ addforbidarr );}
File_put_contents ("log/forbided_ip.log", $ ip. "--". date ("Y-m-d H: I: s", time ()). "--". $ uri. "\ r \ n", FILE_APPEND );
$ Timepass = $ timetem + $ allowTime-$ time;
Die ("Warning :". "<br> ". "Pls don't refresh too frequently, and wait ". $ timepass. "seconds to continue, IF not your IP address will be forbided automatic IC by Mydalle.com Anti-refresh mechanic! <Br> (Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");
}
}
}
}
If ($ yesno) $ str. = $ checkip. $ checkuri. $ time. "1 \ r \ n ";
File_put_contents ($ file, $ str );
?>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.