Php Attack Protection Code upgraded

Source: Internet
Author: User
In my previous article "the recently developed website anti-IP attack code, super useful", I wrote a complete solution to prevent malicious IP attacks on the network. It worked well for a month.

In my previous article "the recently developed website anti-IP attack code, super useful", I wrote a complete solution to prevent malicious IP attacks on the network. It worked well for a month.

However, these attacks have suddenly become terrible in recent days, and 90% of the attacks cannot be blocked. Please refer to the daily statistics:

IP attack and start time Attack Count location remarks

125.165.1.42 -- 02:02:19 --/10 Indonesia

125.165.26.186 -- 16:56:45 --/1846 Indonesia

151.51.238.254 -- 09:32:40 --/4581 Italy

151.76.40.182 -- 11:58:37 --/4763 Rome, Italy

186.28.125.37 -- 11:19:22 --/170 MBIA

186.28.131.122 -- 11:28:43 --/22 MBIA

186.28.25.130 -- 11:30:20 --/1530 MBIA

188.3.1.108 -- 02:48:28 --/1699 Turkey

188.3.1.18 -- 06:46:01 --/1358 Turkey

188.3.34.226 -- 17:07:02 --/1672 Turkey

190.24.50.228 -- 12:26:38 --/2038 MBIA

190.24.83.82 -- 14:20:10 --/9169 MBIA

190.25.30.213 -- 14:00:44 --/680 MBIA

190.26.29.130 -- 13:33:11 --/510 MBIA

190.27.115.101 -- 13:53:48 --/340 MBIA

190.27.22.222 -- 12:16:02 --/340 MBIA

201.244.113.165 -- 11:25:55 --/170 MBIA

201.244.113.47 -- 11:24:56 --/147 MBIA

201.244.115.156 -- 10:13:56 --/2031 MBIA

201.244.119.228 -- 13:50:05 --/170 MBIA

201.245.218.155 -- 13:30:30 --/21 MBIA

212.156.185.122 -- 08:40:36 --/16158 Turkey

78.160.106.60 -- 03:31:12 --/340 Turkey

78.162.67.77 -- 04:26:24 --/3595 Turkish program caught

78.175.64.173 -- 02:00:08 --/2877 Turkey

78.176.178.76 -- 06:12:05 --/2370 Turkey

78.177.2.86 -- 13:24:29 --/196 Turkey

78.181.76.51 -- 16:04:29 --/600 Turkey

78.184.145.63 -- 14:30:12 --/2542 Turkey

78.185.168.24 -- 09:02:52 --/3877 Turkey

78.190.79.225 -- 13:25:22 --/3300 Turkey

78.190.84.230 -- 06:51:33 --/2719 Turkey

78.191.149.47 -- 08:34:34 --/8783 Turkey

78.191.233.108 -- 05:10:48 --/340 Turkey

78.191.94.126 -- 04:34:26 --/3091 Turkey

85.104.231.74 -- 08:03:53 --/3500 Turkey

85.104.49.60 -- 04:47:12 --/1037 Turkey

85.106.123.116 -- 13:35:45 --/68 Turkey

88.224.000096 -- 07:18:59 --/3903 Turkey

88.228.138.65 -- 02:12:31 --/396 Turkey

88.228.66.5 -- 10:44:26 --/2797 Turkey

88.229.12.40 -- 06:57:46 --/6792 Turkey

88.234.193.11 -- 08:25:42 --/5895 Turkey

88.236.78.79 -- 15:01:54 --/170 Turkey

88.238.26.12 -- 05:21:46 --/473 Turkey

88.238.26.154 -- 05:31:58 --/1683 Turkey

88.242.124.128 -- 06:53:56 --/8401 Turkey

88.242.65.61 -- 08:38:41 --/1204 Turkish program caught

94.122.109157 -- 09:53:39 --/1917 the Turkish American program has been arrested

94.54.37.54 -- 02:44:07 --/1096 the Turkish American program has been arrested

95.14.1.97 -- 08:30:10 --/167 Turkey United States

95.15.248.177 -- 11:14:54 --/1454 Turkish American program caught

A total of 125008 times, 172 times faster than 15 seconds, only 9266 times.

This table is bad enough. Our website has been attacked for as many as 0.12 million times a day. If we let it go, the network speed impact on the website will be obvious, this attack is characterized by 3-5 different IP addresses simultaneously attacking at a speed of 3-5 times per second during each attack. In total, the attack reaches 9-25 times per second, change the IP address once every 1-6 hours, and the IP address and the previous record are not repeated. In this way, the website memory will suddenly be too large and the lights will be on; the second is to bring great instability to the network. Some IP addresses have been blocked for a long time. I tried to unseal them all. When I unseal them, several IP addresses are simultaneously attacked, which may even overload the website for several minutes.

Now, why can't new attacks be blocked? After research, I found that the 90% IP addresses adopt a new attack scheme: the smart attack can take turns from 2 minutes to 5 minutes, because my previous program parameter was set to a conservative solution of 600 s/period, I changed the parameter to a new solution of 120 s and 120 times, with an error kill rate of less than 0.5%, after log comparison, I can find out that 120 kill in 120 seconds has never been tried, once every 120 seconds, there is only one freight page. Due to network problems, a customer refresh the page one more time. This is the reason why our transaction background is not intelligent enough.

Finally, I would like to thank you for your comments. However, my website space is just a reference, and it is not the best to adapt to local conditions. It can only be said to be humanized. Now I re-Send the program, and only changed the time parameter. The new parameter can capture those hacker IP addresses by 100%. I tried it for two days and captured 62 new IP addresses, most of them are still in Turkey.

Website Anti-IP attack code (Anti-IP attack code website) ver2.0:

The Code is as follows:


/*
* Website Anti-IP attack code (Anti-IP attack code website) 2010-11-20, Ver2.0
* Mydalle.com Anti-refresh mechanic
* Design
*/
// Query the forbidden IP Address
$ Ip = $ _ SERVER ['remote _ ADDR '];
$ Fileht = ". htaccess2 ";
If (! File_exists ($ fileht) file_put_contents ($ fileht ,"");
$ Filehtarr = @ file ($ fileht );
If (in_array ($ ip. "\ r \ n", $ filehtarr) die ("Warning :"."
"." Your IP address are forbided by Mydalle.com Anti-refresh mechanic, IF you have any question Pls emill to shop@mydalle.com!
(Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");


// Add a prohibited IP Address
$ Time = time ();
$ Fileforbid = "log/forbidchk. dat ";

If (file_exists ($ fileforbid ))
{If ($ time-filemtime ($ fileforbid)> 30) unlink ($ fileforbid );
Else {
$ Fileforbidarr = @ file ($ fileforbid );
If ($ ip = substr ($ fileforbidarr [0], 0, strlen ($ ip )))
{
If ($ time-substr ($ fileforbidarr [1], 0, strlen ($ time)> 120) unlink ($ fileforbid );
Elseif ($ fileforbidarr [2]> 120) {file_put_contents ($ fileht, $ ip. "\ r \ n", FILE_APPEND); unlink ($ fileforbid );}
Else {$ fileforbidarr [2] ++; file_put_contents ($ fileforbid, $ fileforbidarr );}
}
}
}

// Anti-Refresh
$ Str = "";
$ File = "log/ipdate. dat ";
If (! File_exists ("log ")&&! Is_dir ("log") mkdir ("log", 0777 );
If (! File_exists ($ file) file_put_contents ($ file ,"");
$ AllowTime = 60; // anti-Refresh time
$ AllowNum = 5; // number of anti-Refresh attempts
$ Uri = $ _ SERVER ['request _ URI '];
$ Checkip = md5 ($ ip );
$ Checkuri = md5 ($ uri );
$ Yesno = true;
$ Ipdate = @ file ($ file );
Foreach ($ ipdate as $ k => $ v)
{$ Iptem = substr ($ v, 0, 32 );
$ Uritem = substr ($ v, 32, 32 );
$ Timetem = substr ($ v, 64, 10 );
$ Numtem = substr ($ v, 74 );
If ($ time-$ timetem <$ allowTime ){
If ($ iptem! = $ Checkip) $ str. = $ v;
Else {
$ Yesno = false;
If ($ uritem! = $ Checkuri) $ str. = $ iptem. $ checkuri. $ time. "1 \ r \ n ";
Elseif ($ numtem <$ allowNum) $ str. = $ iptem. $ uritem. $ timetem. ($ numtem + 1). "\ r \ n ";
Else
{
If (! File_exists ($ fileforbid) {$ addforbidarr = array ($ ip. "\ r \ n", time (). "\ r \ n", 1); file_put_contents ($ fileforbid, $ addforbidarr );}
File_put_contents ("log/forbided_ip.log", $ ip. "--". date ("Y-m-d H: I: s", time ()). "--". $ uri. "\ r \ n", FILE_APPEND );
$ Timepass = $ timetem + $ allowTime-$ time;
Die ("Warning :"."
"." Pls don't refresh too frequently, and wait for ". $ timepass." seconds to continue, IF not your IP address will be forbided automatic by Mydalle.com Anti-refresh mechanic!
(Mydalle.com Anti-refresh mechanic is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve .) ");
}
}
}
}
If ($ yesno) $ str. = $ checkip. $ checkuri. $ time. "1 \ r \ n ";
File_put_contents ($ file, $ str );
?>

, Hong Kong Space

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.