Php attack protection code upgraded

In my previous article "The recently developed website anti-IP attack code, super useful", I wrote a complete solution to prevent malicious IP attacks on the network. it worked well for a month. However, these attacks have suddenly become terrible in recent days, and 90% of the attacks cannot be blocked. please refer to the daily statistics:

IP attack and start time	Number of attacks	Location	Remarks
125.165.1.42 -- 02:02:19 --/	10	Indonesia
125.165.26.186 -- 16:56:45 --/	1846	Indonesia
151.51.238.254 -- 09:32:40 --/	4581	Italy
151.76.40.182 -- 11:58:37 --/	4763	ROME, Italy
186.28.125.37 -- 11:19:22 --/	170	Columbia
186.28.131.122 -- 11:28:43 --/	22	Columbia
186.28.25.130 -- 11:30:20 --/	1530	Columbia
188.3.1.108 -- 2010-11-19 02:48:28 --/	1699	Turkey
188.3.1.18 -- 2010-11-19 06:46:01 --/	1358	Turkey
188.3.34.226 -- 17:07:02 --/	1672	Turkey
12:26:38 --/	2038	Columbia
14:20:10 --/	9169	Columbia
14:00:44 --/	680	Columbia
13:33:11 --/	510	Columbia
13:53:48 --/	340	Columbia
12:16:02 --/	340	Columbia
11:25:55 --/	170	Columbia
11:24:56 --/	147	Columbia
10:13:56 --/	2031	Columbia
13:50:05 --/	170	Columbia
201.245.218.155 -- 13:30:30 --/	21	Columbia
212.156.185.122 -- 08:40:36 --/	16158	Turkey
78.160.106.60 -- 03:31:12 --/	340	Turkey
78.162.67.77 -- 04:26:24 --/	3595	Turkey	The program has been caught
78.175.64.173 -- 02:00:08 --/	2877	Turkey
78.176.178.76 -- 06:12:05 --/	2370	Turkey
78.177.2.86 -- 13:24:29 --/	196	Turkey
78.181.76.51 -- 16:04:29 --/	600	Turkey
78.184.145.63 -- 14:30:12 --/	2542	Turkey
78.185.168.24 -- 09:02:52 --/	3877	Turkey
78.190.79.225 -- 13:25:22 --/	3300	Turkey
78.190.84.230 -- 06:51:33 --/	2719	Turkey
78.191.149.47 -- 08:34:34 --/	8783	Turkey
78.191.233.108 -- 05:10:48 --/	340	Turkey
78.191.94.126 -- 04:34:26 --/	3091	Turkey
85.104.231.74 -- 08:03:53 --/	3500	Turkey
85.104.49.60 -- 04:47:12 --/	1037	Turkey
85.106.123.116 -- 13:35:45 --/	68	Turkey
88.224.000096 -- 07:18:59 --/	3903	Turkey
88.228.138.65 -- 02:12:31 --/	396	Turkey
88.228.66.5 -- 10:44:26 --/	2797	Turkey
88.229.12.40 -- 06:57:46 --/	6792	Turkey
88.234.193.11 -- 08:25:42 --/	5895	Turkey
88.236.78.79 -- 15:01:54 --/	170	Turkey
88.238.26.12 -- 05:21:46 --/	473	Turkey
88.238.26.154 -- 05:31:58 --/	1683	Turkey
88.242.124.128 -- 06:53:56 --/	8401	Turkey
88.242.65.61 -- 08:38:41 --/	1204	Turkey	The program has been caught
94.122.2.16157 -- 09:53:39 --/	1917	Turkey, USA	The program has been caught
94.54.37.54 -- 02:44:07 --/	1096	Turkey, USA	The program has been caught
95.14.1.97 -- 08:30:10 --/	167	Turkey, USA
95.15.248.177 -- 11:14:54 --/	1454	Turkey, USA	The program has been caught
A total of 125008 times, 172 times faster than 15 seconds, only 9266 times.

This table is bad enough. Our website has been attacked for as many as 0.12 million times a day. if we let it go, the network speed impact on the website will be obvious, this attack is characterized by 3-5 different IP addresses simultaneously attacking at a speed of 3-5 times per second during each attack. In total, the attack reaches 9-25 times per second, change the IP address once every 1-6 hours, and the IP address and the previous record are not repeated. In this way, the website memory will suddenly be too large and the lights will be on; the second is to bring great instability to the network. Some IP addresses have been blocked for a long time. I tried to unseal them all. when I unseal them, several IP addresses are simultaneously attacked, which may even overload the website for several minutes.

Now, why can't New attacks be blocked? After research, I found that the 90% IP addresses adopt a new attack scheme: the smart attack can take turns from 2 minutes to 5 minutes, because my previous program parameter was set to a conservative solution of 600 s/period, I changed the parameter to a new solution of 120 s and 120 times, with an error kill rate of less than 0.5%, after log comparison, I can find that 120 million false positives in 120 seconds have never been tried, once every 120 seconds, there is only one freight page. due to network problems, a customer refresh the page one more time. This is the reason why our transaction background is not intelligent enough.

Finally, I would like to thank you for your comments. However, my program is just a reference, and it is not the best to adapt to local conditions. it can only be said to be humanized. Now I re-send the program, and only changed the time parameter. the new parameter can capture those hacker IP addresses by 100%. I tried it for two days and captured 62 new IP addresses, most of them are still in Turkey.

Website Anti-IP attack code (Anti-IP attack code website) ver2.0:
The code is as follows:
/*
* Website Anti-IP attack code (Anti-IP attack code website) 2010-11-20, Ver2.0
* Mydalle.com Anti-refresh mechanic
* Design by www.mydalle.com
*/
// Query the forbidden IP address
$ Ip = $ _ SERVER ['remote _ ADDR '];
$ Fileht = ". htaccess2 ";
If (! File_exists ($ fileht) file_put_contents ($ fileht ,"");
$ Filehtarr = @ file ($ fileht );
If (in_array ($ ip. "\ r \ n", $ filehtarr) die ("Warning :"."
"." Your IP address are forbided by Mydalle.com Anti-refresh mechanic, IF you have any question Pls emill to shop@mydalle.com!
(Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");


// Add a prohibited IP address
$ Time = time ();
$ Fileforbid = "log/forbidchk. dat ";

If (file_exists ($ fileforbid ))
{If ($ time-filemtime ($ fileforbid)> 30) unlink ($ fileforbid );
Else {
$ Fileforbidarr = @ file ($ fileforbid );
If ($ ip = substr ($ fileforbidarr [0], 0, strlen ($ ip )))
{
If ($ time-substr ($ fileforbidarr [1], 0, strlen ($ time)> 120) unlink ($ fileforbid );
Elseif ($ fileforbidarr [2]> 120) {file_put_contents ($ fileht, $ ip. "\ r \ n", FILE_APPEND); unlink ($ fileforbid );}
Else {$ fileforbidarr [2] ++; file_put_contents ($ fileforbid, $ fileforbidarr );}
}
}
}

// Anti-refresh
$ Str = "";
$ File = "log/ipdate. dat ";
If (! File_exists ("log ")&&! Is_dir ("log") mkdir ("log", 0777 );
If (! File_exists ($ file) file_put_contents ($ file ,"");
$ AllowTime = 60; // Anti-refresh time
$ AllowNum = 5; // number of anti-refresh attempts
$ Uri = $ _ SERVER ['request _ URI '];
$ Checkip = md5 ($ ip );
$ Checkuri = md5 ($ uri );
$ Yesno = true;
$ Ipdate = @ file ($ file );
Foreach ($ ipdate as $ k => $ v)
{$ Iptem = substr ($ v, 0, 32 );
$ Uritem = substr ($ v, 32, 32 );
$ Timetem = substr ($ v, 64, 10 );
$ Numtem = substr ($ v, 74 );
If ($ time-$ timetem <$ allowTime ){
If ($ iptem! = $ Checkip) $ str. = $ v;
Else {
$ Yesno = false;
If ($ uritem! = $ Checkuri) $ str. = $ iptem. $ checkuri. $ time. "1 \ r \ n ";
Elseif ($ numtem <$ allowNum) $ str. = $ iptem. $ uritem. $ timetem. ($ numtem + 1). "\ r \ n ";
Else
{
If (! File_exists ($ fileforbid) {$ addforbidarr = array ($ ip. "\ r \ n", time (). "\ r \ n", 1); file_put_contents ($ fileforbid, $ addforbidarr );}
File_put_contents ("log/forbided_ip.log", $ ip. "--". date ("Y-m-d H: I: s", time ()). "--". $ uri. "\ r \ n", FILE_APPEND );
$ Timepass = $ timetem + $ allowTime-$ time;
Die ("Warning :"."
"." Pls don't refresh too frequently, and wait for ". $ timepass." seconds to continue, IF not your IP address will be forbided automatic by Mydalle.com Anti-refresh mechanic!
(Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");
}
}
}
}
If ($ yesno) $ str. = $ checkip. $ checkuri. $ time. "1 \ r \ n ";
File_put_contents ($ file, $ str );
?>