In my previous article "the recently developed website anti-IP attack code, super useful", I wrote a complete solution to prevent malicious IP attacks on the network. It worked well for a month.
In my previous article "the recently developed website anti-IP attack code, super useful", I wrote a complete solution to prevent malicious IP attacks on the network. It worked well for a month.
However, these attacks have suddenly become terrible in recent days, and 90% of the attacks cannot be blocked. Please refer to the daily statistics:
IP attack and start time Attack Count location remarks
125.165.1.42 -- 02:02:19 --/10 Indonesia
125.165.26.186 -- 16:56:45 --/1846 Indonesia
151.51.238.254 -- 09:32:40 --/4581 Italy
151.76.40.182 -- 11:58:37 --/4763 Rome, Italy
186.28.125.37 -- 11:19:22 --/170 MBIA
186.28.131.122 -- 11:28:43 --/22 MBIA
186.28.25.130 -- 11:30:20 --/1530 MBIA
188.3.1.108 -- 02:48:28 --/1699 Turkey
188.3.1.18 -- 06:46:01 --/1358 Turkey
188.3.34.226 -- 17:07:02 --/1672 Turkey
190.24.50.228 -- 12:26:38 --/2038 MBIA
190.24.83.82 -- 14:20:10 --/9169 MBIA
190.25.30.213 -- 14:00:44 --/680 MBIA
190.26.29.130 -- 13:33:11 --/510 MBIA
190.27.115.101 -- 13:53:48 --/340 MBIA
190.27.22.222 -- 12:16:02 --/340 MBIA
201.244.113.165 -- 11:25:55 --/170 MBIA
201.244.113.47 -- 11:24:56 --/147 MBIA
201.244.115.156 -- 10:13:56 --/2031 MBIA
201.244.119.228 -- 13:50:05 --/170 MBIA
201.245.218.155 -- 13:30:30 --/21 MBIA
212.156.185.122 -- 08:40:36 --/16158 Turkey
78.160.106.60 -- 03:31:12 --/340 Turkey
78.162.67.77 -- 04:26:24 --/3595 Turkish program caught
78.175.64.173 -- 02:00:08 --/2877 Turkey
78.176.178.76 -- 06:12:05 --/2370 Turkey
78.177.2.86 -- 13:24:29 --/196 Turkey
78.181.76.51 -- 16:04:29 --/600 Turkey
78.184.145.63 -- 14:30:12 --/2542 Turkey
78.185.168.24 -- 09:02:52 --/3877 Turkey
78.190.79.225 -- 13:25:22 --/3300 Turkey
78.190.84.230 -- 06:51:33 --/2719 Turkey
78.191.149.47 -- 08:34:34 --/8783 Turkey
78.191.233.108 -- 05:10:48 --/340 Turkey
78.191.94.126 -- 04:34:26 --/3091 Turkey
85.104.231.74 -- 08:03:53 --/3500 Turkey
85.104.49.60 -- 04:47:12 --/1037 Turkey
85.106.123.116 -- 13:35:45 --/68 Turkey
88.224.000096 -- 07:18:59 --/3903 Turkey
88.228.138.65 -- 02:12:31 --/396 Turkey
88.228.66.5 -- 10:44:26 --/2797 Turkey
88.229.12.40 -- 06:57:46 --/6792 Turkey
88.234.193.11 -- 08:25:42 --/5895 Turkey
88.236.78.79 -- 15:01:54 --/170 Turkey
88.238.26.12 -- 05:21:46 --/473 Turkey
88.238.26.154 -- 05:31:58 --/1683 Turkey
88.242.124.128 -- 06:53:56 --/8401 Turkey
88.242.65.61 -- 08:38:41 --/1204 Turkish program caught
94.122.109157 -- 09:53:39 --/1917 the Turkish American program has been arrested
94.54.37.54 -- 02:44:07 --/1096 the Turkish American program has been arrested
95.14.1.97 -- 08:30:10 --/167 Turkey United States
95.15.248.177 -- 11:14:54 --/1454 Turkish American program caught
A total of 125008 times, 172 times faster than 15 seconds, only 9266 times.
This table is bad enough. Our website has been attacked for as many as 0.12 million times a day. If we let it go, the network speed impact on the website will be obvious, this attack is characterized by 3-5 different IP addresses simultaneously attacking at a speed of 3-5 times per second during each attack. In total, the attack reaches 9-25 times per second, change the IP address once every 1-6 hours, and the IP address and the previous record are not repeated. In this way, the website memory will suddenly be too large and the lights will be on; the second is to bring great instability to the network. Some IP addresses have been blocked for a long time. I tried to unseal them all. When I unseal them, several IP addresses are simultaneously attacked, which may even overload the website for several minutes.
Now, why can't new attacks be blocked? After research, I found that the 90% IP addresses adopt a new attack scheme: the smart attack can take turns from 2 minutes to 5 minutes, because my previous program parameter was set to a conservative solution of 600 s/period, I changed the parameter to a new solution of 120 s and 120 times, with an error kill rate of less than 0.5%, after log comparison, I can find out that 120 kill in 120 seconds has never been tried, once every 120 seconds, there is only one freight page. Due to network problems, a customer refresh the page one more time. This is the reason why our transaction background is not intelligent enough.
Finally, I would like to thank you for your comments. However, my website space is just a reference, and it is not the best to adapt to local conditions. It can only be said to be humanized. Now I re-Send the program, and only changed the time parameter. The new parameter can capture those hacker IP addresses by 100%. I tried it for two days and captured 62 new IP addresses, most of them are still in Turkey.
Website Anti-IP attack code (Anti-IP attack code website) ver2.0:
The Code is as follows:
/*
* Website Anti-IP attack code (Anti-IP attack code website) 2010-11-20, Ver2.0
* Mydalle.com Anti-refresh mechanic
* Design
*/
// Query the forbidden IP Address
$ Ip = $ _ SERVER ['remote _ ADDR '];
$ Fileht = ". htaccess2 ";
If (! File_exists ($ fileht) file_put_contents ($ fileht ,"");
$ Filehtarr = @ file ($ fileht );
If (in_array ($ ip. "\ r \ n", $ filehtarr) die ("Warning :"."
"." Your IP address are forbided by Mydalle.com Anti-refresh mechanic, IF you have any question Pls emill to shop@mydalle.com!
(Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");
// Add a prohibited IP Address
$ Time = time ();
$ Fileforbid = "log/forbidchk. dat ";
If (file_exists ($ fileforbid ))
{If ($ time-filemtime ($ fileforbid)> 30) unlink ($ fileforbid );
Else {
$ Fileforbidarr = @ file ($ fileforbid );
If ($ ip = substr ($ fileforbidarr [0], 0, strlen ($ ip )))
{
If ($ time-substr ($ fileforbidarr [1], 0, strlen ($ time)> 120) unlink ($ fileforbid );
Elseif ($ fileforbidarr [2]> 120) {file_put_contents ($ fileht, $ ip. "\ r \ n", FILE_APPEND); unlink ($ fileforbid );}
Else {$ fileforbidarr [2] ++; file_put_contents ($ fileforbid, $ fileforbidarr );}
}
}
}
// Anti-Refresh
$ Str = "";
$ File = "log/ipdate. dat ";
If (! File_exists ("log ")&&! Is_dir ("log") mkdir ("log", 0777 );
If (! File_exists ($ file) file_put_contents ($ file ,"");
$ AllowTime = 60; // anti-Refresh time
$ AllowNum = 5; // number of anti-Refresh attempts
$ Uri = $ _ SERVER ['request _ URI '];
$ Checkip = md5 ($ ip );
$ Checkuri = md5 ($ uri );
$ Yesno = true;
$ Ipdate = @ file ($ file );
Foreach ($ ipdate as $ k => $ v)
{$ Iptem = substr ($ v, 0, 32 );
$ Uritem = substr ($ v, 32, 32 );
$ Timetem = substr ($ v, 64, 10 );
$ Numtem = substr ($ v, 74 );
If ($ time-$ timetem <$ allowTime ){
If ($ iptem! = $ Checkip) $ str. = $ v;
Else {
$ Yesno = false;
If ($ uritem! = $ Checkuri) $ str. = $ iptem. $ checkuri. $ time. "1 \ r \ n ";
Elseif ($ numtem <$ allowNum) $ str. = $ iptem. $ uritem. $ timetem. ($ numtem + 1). "\ r \ n ";
Else
{
If (! File_exists ($ fileforbid) {$ addforbidarr = array ($ ip. "\ r \ n", time (). "\ r \ n", 1); file_put_contents ($ fileforbid, $ addforbidarr );}
File_put_contents ("log/forbided_ip.log", $ ip. "--". date ("Y-m-d H: I: s", time ()). "--". $ uri. "\ r \ n", FILE_APPEND );
$ Timepass = $ timetem + $ allowTime-$ time;
Die ("Warning :"."
"." Pls don't refresh too frequently, and wait for ". $ timepass." seconds to continue, IF not your IP address will be forbided automatic by Mydalle.com Anti-refresh mechanic!
(Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");
}
}
}
}
If ($ yesno) $ str. = $ checkip. $ checkuri. $ time. "1 \ r \ n ";
File_put_contents ($ file, $ str );
?>
, Hong Kong Space