Php prevents CC attack code php prevents frequent page refreshing

Source: Internet
Author: User
Tags website server
This article mainly introduces php's anti-CC attack code and php's prevention of frequent page refreshing, and quick and malicious page refreshing. cc attacks use proxy servers to generate legitimate requests directed to the target site, simulate a multi-user access to the affected website without stopping. interested friends can study the rapid and malicious refreshing of webpages. cc attacks are the legitimate requests that attackers use the proxy server to generate to the target site, simulate multiple users to access the affected website without stopping, especially to access pages that require a large amount of data operations and require a large amount of time, which eventually results in the depletion of resources on the target website server until the crash, this results in a waste of server resources. the CPU remains at 100% for a long time, and there will always be endless connections until the network is congested and normal access is terminated. We call it CC attacks. Although we can use some attack-Proof Software, the effect is sometimes not obvious.

Below is a piece of PHP code that can defend against CC attacks.
Main functions:If you refresh the page more than 5 times in 3 seconds, it will point to the local http: // 127.0.0.1
You only need to put the code on the page that requires anti-CC attack.
Source code

<? Php $ timestampcc = time (); $ cc_nowtime = $ timestampcc; if (session_is_registered ('CC _ lasttime') {$ cc_lasttime = $ _ SESSION ['CC _ lasttime']; $ cc_times = $ _ SESSION ['cc_times '] + 1; $ _ SESSION ['cc_times'] = $ cc_times;} else {$ cc_lasttime = $ cc_nowtime; $ cc_times = 1; $ _ SESSION ['cc_times '] = $ cc_times; $ _ SESSION ['CC _ lasttime'] = $ cc_lasttime ;} if ($ cc_nowtime-$ cc_lasttime) <3) {// refresh more than 5 times in 3 seconds may be cc attacks if ($ cc_times> = 5) {Echo 'refresh too fast! '; Exit ;}} else {$ cc_times = 0; $ _ SESSION ['CC _ lasttime'] = $ cc_nowtime; $ _ SESSION ['cc_times '] = $ cc_times;}?>

The following is an effective PHP anti-CC attack solution:

1. session Records
Submit. php sets a session variable on the sending page and sends it to submitdeal together as a hidden field and form. on the php page, the server compares the hidden variables in the post with the session variables recorded on the server. for example, if the same, the hidden variables are written to the database and the session is cleared. in this way, the user refreshes the page, if the two values are not equal, an error or jump is prompted.
Advantages:You do not need to enter the verification code
Disadvantages:Forms are easy to copy
2. verification code
The principle is the same as the first one, except that session data is not submitted as a hidden domain, but is provided to users. most websites use text verification codes and image verification codes, which are highly secure.

3. IP binding
After the data is submitted, the client IP address is retrieved from the IP address table. if the IP address does not expire, an error is returned. Otherwise, the IP address is written to the database, and then the IP address of the room is taken to write the IP address to the database.
4. cookie:After the customer submits the post-processing program, it first retrieves whether the client has set cookies. if so, it does not submit them repeatedly. if not, it writes data and then writes a cookie;
Example:

The user's meaningless frequent jump and requests will put a lot of burden on the server. In fact, using cookies can prevent this.

<? Php error_reporting (0); // if ($ _ COOKIE ["ck"]) die ("refreshing too fast! "); If ($ _ COOKIE [" ck "]) header (" Location: http://www.baidu.com "); // if the user refresh too fast, terminate the php script or directly jump to setcookie 302 ("ck", "1", time () + 3); // Set the cookie survival time to 3 s echo "hello! ";?>

Method 1:

<? Php session_start (); $ k =$ _ GET ['K']; $ t =$ _ GET ['t']; $ allowTime = 1800; // Anti-refresh time $ ip = get_client_ip (); $ allowT = md5 ($ ip. $ k. $ t); if (! Isset ($ _ SESSION [$ allowT]) {$ refresh = true; $ _ SESSION [$ allowT] = time ();} elseif (time () -$ _ SESSION [$ allowT]> $ allowTime) {$ refresh = true; $ _ SESSION [$ allowT] = time ();} else {$ refresh = false;}?>

Method 2:

<? Session_start (); if (! Emptyempty ($ _ POST [name]) {$ data =$ _ POST [name]; $ tag =$ _ POST [tag]; if ($ _ SESSION [status] ==$ tag) {echo $ data;} else {echo "refresh is not allowed! ";}}$ V = mt_rand ();?> <? Echo $ v; $ _ SESSION [status] = $ v;?>

Method 3:

<? Session_start (); if (! Emptyempty ($ _ POST [name]) {$ data =$ _ POST [name]; $ tag =$ _ POST [tag]; if ($ _ SESSION [status] ==$ tag) {echo $ data;} else {echo "refresh is not allowed! ";}}$ V = mt_rand ();?> <? Echo $ v; $ _ SESSION [status] = $ v;?>

The above are various php methods to prevent CC attacks, hoping to help you prevent quick and malicious refreshing of webpages.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.