Php attack protection code upgraded

Source: Internet
Author: User
In my previous article "The recently developed website anti-IP attack code, super useful", I wrote a complete solution to prevent malicious IP attacks on the network. it worked well for a month. However, these attacks have suddenly become terrible in recent days, and 90% of the attacks cannot be blocked. please refer to the daily statistics:
IP attack and start time Number of attacks Location Remarks
125.165.1.42 -- 02:02:19 --/ 10 Indonesia  
125.165.26.186 -- 16:56:45 --/ 1846 Indonesia  
151.51.238.254 -- 09:32:40 --/ 4581 Italy  
151.76.40.182 -- 11:58:37 --/ 4763 ROME, Italy  
186.28.125.37 -- 11:19:22 --/ 170 Columbia  
186.28.131.122 -- 11:28:43 --/ 22 Columbia  
186.28.25.130 -- 11:30:20 --/ 1530 Columbia  
188.3.1.108 -- 2010-11-19 02:48:28 --/ 1699 Turkey  
188.3.1.18 -- 2010-11-19 06:46:01 --/ 1358 Turkey  
188.3.34.226 -- 17:07:02 --/ 1672 Turkey  
12:26:38 --/ 2038 Columbia  
14:20:10 --/ 9169 Columbia  
14:00:44 --/ 680 Columbia  
13:33:11 --/ 510 Columbia  
13:53:48 --/ 340 Columbia  
12:16:02 --/ 340 Columbia  
11:25:55 --/ 170 Columbia  
11:24:56 --/ 147 Columbia  
10:13:56 --/ 2031 Columbia  
13:50:05 --/ 170 Columbia  
201.245.218.155 -- 13:30:30 --/ 21 Columbia  
212.156.185.122 -- 08:40:36 --/ 16158 Turkey  
78.160.106.60 -- 03:31:12 --/ 340 Turkey  
78.162.67.77 -- 04:26:24 --/ 3595 Turkey The program has been caught
78.175.64.173 -- 02:00:08 --/ 2877 Turkey  
78.176.178.76 -- 06:12:05 --/ 2370 Turkey  
78.177.2.86 -- 13:24:29 --/ 196 Turkey  
78.181.76.51 -- 16:04:29 --/ 600 Turkey  
78.184.145.63 -- 14:30:12 --/ 2542 Turkey  
78.185.168.24 -- 09:02:52 --/ 3877 Turkey  
78.190.79.225 -- 13:25:22 --/ 3300 Turkey  
78.190.84.230 -- 06:51:33 --/ 2719 Turkey  
78.191.149.47 -- 08:34:34 --/ 8783 Turkey  
78.191.233.108 -- 05:10:48 --/ 340 Turkey  
78.191.94.126 -- 04:34:26 --/ 3091 Turkey  
85.104.231.74 -- 08:03:53 --/ 3500 Turkey  
85.104.49.60 -- 04:47:12 --/ 1037 Turkey  
85.106.123.116 -- 13:35:45 --/ 68 Turkey  
88.224.000096 -- 07:18:59 --/ 3903 Turkey  
88.228.138.65 -- 02:12:31 --/ 396 Turkey  
88.228.66.5 -- 10:44:26 --/ 2797 Turkey  
88.229.12.40 -- 06:57:46 --/ 6792 Turkey  
88.234.193.11 -- 08:25:42 --/ 5895 Turkey  
88.236.78.79 -- 15:01:54 --/ 170 Turkey  
88.238.26.12 -- 05:21:46 --/ 473 Turkey  
88.238.26.154 -- 05:31:58 --/ 1683 Turkey  
88.242.124.128 -- 06:53:56 --/ 8401 Turkey  
88.242.65.61 -- 08:38:41 --/ 1204 Turkey The program has been caught
94.122.2.16157 -- 09:53:39 --/ 1917 Turkey, USA The program has been caught
94.54.37.54 -- 02:44:07 --/ 1096 Turkey, USA The program has been caught
95.14.1.97 -- 08:30:10 --/ 167 Turkey, USA  
95.15.248.177 -- 11:14:54 --/ 1454 Turkey, USA The program has been caught
A total of 125008 times, 172 times faster than 15 seconds, only 9266 times.

This table is bad enough. Our website has been attacked for as many as 0.12 million times a day. if we let it go, the network speed impact on the website will be obvious, this attack is characterized by 3-5 different IP addresses simultaneously attacking at a speed of 3-5 times per second during each attack. In total, the attack reaches 9-25 times per second, change the IP address once every 1-6 hours, and the IP address and the previous record are not repeated. In this way, the website memory will suddenly be too large and the lights will be on; the second is to bring great instability to the network. Some IP addresses have been blocked for a long time. I tried to unseal them all. when I unseal them, several IP addresses are simultaneously attacked, which may even overload the website for several minutes.

Now, why can't New attacks be blocked? After research, I found that the 90% IP addresses adopt a new attack scheme: the smart attack can take turns from 2 minutes to 5 minutes, because my previous program parameter was set to a conservative solution of 600 s/period, I changed the parameter to a new solution of 120 s and 120 times, with an error kill rate of less than 0.5%, after log comparison, I can find that 120 million false positives in 120 seconds have never been tried, once every 120 seconds, there is only one freight page. due to network problems, a customer refresh the page one more time. This is the reason why our transaction background is not intelligent enough.

Finally, I would like to thank you for your comments. However, my program is just a reference, and it is not the best to adapt to local conditions. it can only be said to be humanized. Now I re-send the program, and only changed the time parameter. the new parameter can capture those hacker IP addresses by 100%. I tried it for two days and captured 62 new IP addresses, most of them are still in Turkey.

Website Anti-IP attack code (Anti-IP attack code website) ver2.0:
The code is as follows:
/*
* Website Anti-IP attack code (Anti-IP attack code website) 2010-11-20, Ver2.0
* Mydalle.com Anti-refresh mechanic
* Design by www.mydalle.com
*/
// Query the forbidden IP address
$ Ip = $ _ SERVER ['remote _ ADDR '];
$ Fileht = ". htaccess2 ";
If (! File_exists ($ fileht) file_put_contents ($ fileht ,"");
$ Filehtarr = @ file ($ fileht );
If (in_array ($ ip. "\ r \ n", $ filehtarr) die ("Warning :"."
"." Your IP address are forbided by Mydalle.com Anti-refresh mechanic, IF you have any question Pls emill to shop@mydalle.com!
(Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");


// Add a prohibited IP address
$ Time = time ();
$ Fileforbid = "log/forbidchk. dat ";

If (file_exists ($ fileforbid ))
{If ($ time-filemtime ($ fileforbid)> 30) unlink ($ fileforbid );
Else {
$ Fileforbidarr = @ file ($ fileforbid );
If ($ ip = substr ($ fileforbidarr [0], 0, strlen ($ ip )))
{
If ($ time-substr ($ fileforbidarr [1], 0, strlen ($ time)> 120) unlink ($ fileforbid );
Elseif ($ fileforbidarr [2]> 120) {file_put_contents ($ fileht, $ ip. "\ r \ n", FILE_APPEND); unlink ($ fileforbid );}
Else {$ fileforbidarr [2] ++; file_put_contents ($ fileforbid, $ fileforbidarr );}
}
}
}

// Anti-refresh
$ Str = "";
$ File = "log/ipdate. dat ";
If (! File_exists ("log ")&&! Is_dir ("log") mkdir ("log", 0777 );
If (! File_exists ($ file) file_put_contents ($ file ,"");
$ AllowTime = 60; // Anti-refresh time
$ AllowNum = 5; // number of anti-refresh attempts
$ Uri = $ _ SERVER ['request _ URI '];
$ Checkip = md5 ($ ip );
$ Checkuri = md5 ($ uri );
$ Yesno = true;
$ Ipdate = @ file ($ file );
Foreach ($ ipdate as $ k => $ v)
{$ Iptem = substr ($ v, 0, 32 );
$ Uritem = substr ($ v, 32, 32 );
$ Timetem = substr ($ v, 64, 10 );
$ Numtem = substr ($ v, 74 );
If ($ time-$ timetem <$ allowTime ){
If ($ iptem! = $ Checkip) $ str. = $ v;
Else {
$ Yesno = false;
If ($ uritem! = $ Checkuri) $ str. = $ iptem. $ checkuri. $ time. "1 \ r \ n ";
Elseif ($ numtem <$ allowNum) $ str. = $ iptem. $ uritem. $ timetem. ($ numtem + 1). "\ r \ n ";
Else
{
If (! File_exists ($ fileforbid) {$ addforbidarr = array ($ ip. "\ r \ n", time (). "\ r \ n", 1); file_put_contents ($ fileforbid, $ addforbidarr );}
File_put_contents ("log/forbided_ip.log", $ ip. "--". date ("Y-m-d H: I: s", time ()). "--". $ uri. "\ r \ n", FILE_APPEND );
$ Timepass = $ timetem + $ allowTime-$ time;
Die ("Warning :"."
"." Pls don't refresh too frequently, and wait for ". $ timepass." seconds to continue, IF not your IP address will be forbided automatic by Mydalle.com Anti-refresh mechanic!
(Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");
}
}
}
}
If ($ yesno) $ str. = $ checkip. $ checkuri. $ time. "1 \ r \ n ";
File_put_contents ($ file, $ str );
?>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.