PHP prevents cc attack code PHP from frequent page refreshes

This article mainly introduces PHP to prevent the CC attack code and PHP to prevent frequent web page refresh, Web page rapid malicious refresh, CC attack using Proxy server to generate a legitimate request to the target site, simulation multi-user constantly visit the victim site, interested in small partners can study

Web page Rapid malicious refresh, the CC attack is that the attacker uses proxy server to generate a legitimate request to the target site, simulation of multi-user access to the victim site, especially those who need a lot of data operations require a large amount of CPU time of the page, resulting in the target site server resources exhausted, until the crash, As a result, the server resources wasted, the CPU for a long time at 100%, always have to handle the connection until the network congestion, normal access is aborted. We call it a CC attack. Although we can use some anti-attack software to achieve, but the effect is sometimes not obvious.

Below I provide a section of PHP code, can play a certain anti-CC attack effect.
main function: in 3 seconds continuously refresh the page 5 times will point to the native http://127.0.0.1
Just place the code on a page that requires anti-CC attacks.
Source

<?PHP$TIMESTAMPCC = Time (), $cc _nowtime = $TIMESTAMPCC, if (session_is_registered (' Cc_lasttime ')) {$cc _lasttime = $_ session[' Cc_lasttime ']; $CC _times = $_session[' Cc_times ']+1; $_session[' cc_times '] = $CC _times;} else{$cc _lasttime = $cc _nowtime; $cc _times = 1; $_session[' cc_times '] = $cc _times; $_session[' cc_lasttime '] = $cc _lasttim e;} if (($cc _nowtime-$cc _lasttime) <3) {///3 seconds Refresh 5 times above possible cc attack if ($cc _times>=5) {echo ' Refresh too fast! '; exit;}} else{$cc _times = 0; $_session[' cc_lasttime ') = $cc _nowtime; $_session[' cc_times '] = $CC _times;}?>

Here's an effective way to organize your PHP anti-CC attacks:

1.session Records
submit.php to send a page, set a session variable on this page, And as a hidden domain and the table is sent to the submitdeal.php page, on the server side of the post on the hidden variables and server-side record of the session variables to compare, for example, write to the database and clear session, so that the user refresh the page, two values are not equal to prompt error or jump.
Advantage: No user input verification code
Cons: forms are easy to copy
2. Verification Code
Principle and the first, just the session data is not submitted as a hidden domain, but let users fill out, most of the sites are using text verification code and image verification code, image Verification code security is high.

3.IP Bindings
After the data is submitted, the client IP is retrieved from the IP table, and if there is no expiration, then the error is written to the database, then to the guest room IP, the IP is written to the database.
4.cookie: The customer submits the post-processing program first to retrieve whether the client has set a cookie, if so, does not repeat the submission, if not, write the data, and then write a cookie;
Cases:

User's meaningless frequent jump, request will add a lot of burden to the server in fact, cookies can prevent this.

<?php error_reporting (0); if ($_cookie["ck"]) die ("Refresh too fast!") "); if ($_cookie["CK"]) header ("location:http://www.baidu.com");//here if the user refreshes too fast, give the terminating PHP script or direct 302 jump Setcookie ("ck", "1", Time () +3);//Set Cookie to survive 3s echo "hello!"; ?>

Way One:

<?php  session_start ();  $k =$_get[' K '];  $t =$_get[' t '];  $allowTime = 1800;//anti-refresh time  $ip = Get_client_ip ();  $allowT = MD5 ($ip. $k. $t);  if (!isset ($_session[$allowT]))  {   $refresh = true;   $_session[$allowT] = time ();  } ElseIf (Time ()-$_session[$allowT]> $allowTime) {   $refresh = true;   $_session[$allowT] = time ();  } else{   $refresh = false;  }  ? >

Way two:

<? Session_Start (); if (!emptyempty ($_post[name])) {  $data = $_post[name];  $tag = $_post[tag];  if ($_session[status]== $tag) {  echo $data;  } else{  echo "not allowed to refresh!" ";  } } $v = Mt_rand (1,10000);?> <form method= "post" Name= "Magic" action= "f5.php" ><input type= "hidden" name= "tag" Value= "<?= $v?>" ><input type=text name= "name" ><input type= "Submit" value= "Submit" > </form > <? Echo $v; $_session[status] = $v;?>

Way three:

<? Session_Start (); if (!emptyempty ($_post[name])) {  $data = $_post[name];  $tag = $_post[tag];  if ($_session[status]== $tag) {  echo $data;  } else{  echo "not allowed to refresh!" ";  } } $v = Mt_rand (1,10000);?> <form method= "post" Name= "Magic" action= "f5.php" ><input type= "hidden" name= "tag" Value= "<?= $v?>" ><input type=text name= "name" ><input type= "Submit" value= "Submit" > </form > <? Echo $v; $_session[status] = $v;?>

The above is the PHP to prevent the various ways of the attack, I hope to help prevent the rapid malicious Web page refresh.