Now a way to spread the Internet, is the use of additional traffic for Denial-of-service attacks, this attack, only a file, a few lines of code, you can access the file by the user, in their unconscious circumstances to your goal to bring dozens of times times, or even a hundredfold visit, When the number of visits to the file reaches a certain amount, the pressure on the other person will be very scary. Moreover, this attack because the source of the attack are ordinary users, can not be set on the fire wall to do any setting, it is impossible to say. But while, outsmart, there is a spear must have a shield, such a way of attack is difficult to maintain, but also is definitely not unprotected. Here's a discussion of defensive approaches.
1: Protect the database access rate using the parameter transform: for dynamic pages that use a database or other file resources, you can use parameter transformations, such as our set function encrypt (ID) to convert IDs to string parameters, our page news.asp?id= Acehj. We can decode it by decrypt (string) and return it to the ID. In this way, it is difficult for customers to forge a legitimate parameter access page, the page in the process of decoding the use of authentication code to deny access to illegal customers, to avoid the malicious client's database access, The database access is secured by sacrificing a little bit of CPU computing time. We first look at a few examples to see if you can guess the function of the transformation 139<=>adkl.110<=>abba.80<=>hag.11234567890<=>abdfhjlnprjs.
Did you see it? The code for encrypt and decrypt is as follows:
<%
Function Encrypt (id)
StrR=""
Chk=0
For x=1 to len(id)
StrR=StrR&chr(95+x+cint(mid(id,x,1)))
Chk=Chk+Cint(mid(id,x,1))
Next
Chk=Chk mod 26
StrR=StrR&chr(95+chk)
Encrypt=StrR
End Function
Function Decrypt(str)
StrR=""
For x=1 to len(str)-1
u=(asc(mid(str,x,1))-x-95)
StrR=""
For x=1 to len(str,x,1))-x-95
u=(asc(mid(str,x,1))-x-95)
StrR=StrR&u
Next
Chk=Chk mod 26
if right(str,1)<>chr(95+chk) then
response.write "验证错误"
response.end
end if
Decrypt=StrR
End Function
%>
Call Encrypt (1235) to get Acehj ("Aech?") When, only? When J is able to get the correct result 1234, any other character will return "present validation error".
Through such a change of protection, the customer is visiting the NEWS.ASP?ID=ACEHJ. Cannot see the actual ID is 1235, the randomly generated ID cannot pass the verification process, cannot create the multithreading legitimate access through the software simulation, avoids the service because the illegal access causes the database resource exhaustion. In addition, under such protection, SQL lnjection vulnerabilities are also well defended.