Web page Quick malicious refresh, CC attack is an attacker to generate a proxy server to target the legitimate request, analog multi-user Non-stop access to the site, especially those who need a large number of data operations require a large number of cup time of the page, resulting in the target Web server resources exhausted, until the downtime crashes, In this way, resulting in the waste of server resources, CPU for a long time in 100%, always have to deal with the connection until the network congestion, normal access was aborted. We call it the CC attack. Although we can use some software to prevent attacks, but the effect is sometimes not obvious.
Below I provide a section of PHP code, can play a certain anti-CC attack effect.
main function: in 3 seconds to refresh the page continuously more than 5 times will point to the local http://127.0.0.1
Simply place the code on a page that requires a CC-resistant attack.
Source
<?php
$TIMESTAMPCC = time ();
$CC _nowtime = $TIMESTAMPCC;
if (session_is_registered (' Cc_lasttime ')) {
$cc _lasttime = $_session[' cc_lasttime '];
$CC _times = $_session[' cc_times ']+1;
$_session[' cc_times ' = $CC _times;
} else{
$cc _lasttime = $cc _nowtime;
$CC _times = 1;
$_session[' cc_times ' = $cc _times;
$_session[' cc_lasttime ' = $CC _lasttime;
}
if (($cc _nowtime-$cc _lasttime) <3) {//3 seconds more than 5 refresh may be cc attack
if ($cc _times>=5) {
echo ' refresh too fast! ';
Exit;
}
} else{
$cc _times = 0;
$_session[' cc_lasttime ' = $cc _nowtime;
$_session[' cc_times ' = $CC _times;
}
? >
Here is an effective way to organize your PHP anti-CC attack:
1.session Record
submit.php for the Send page, set a session variable on this page, And as a hidden field and table to send to the submitdeal.php page, on the server side of the post to the hidden variables and server-side records of the session variables, such as, then write to the database and clear session, so that users refresh the page, two values unequal prompts error or jump.
Advantages: No user input verification code
disadvantage: forms are easy to copy
2. Verification Code
the principle is the same as the first, only the session data is not submitted as a hidden domain, but let users fill in, most sites are using text verification code and picture Verification Code, image verification code high security.
3.IP binding
After submitting the data, first retrieves the client IP from the IP table, if has, and has not expired, then the error, otherwise writes the database, then takes the guest room end IP, writes the IP to the database.
4.cookie: After the customer submits the processing program retrieves the client to have not set the cookie, if has, then does not repeat, if does not have, writes the data, then writes a cookie;
Cases:
Users ' meaningless frequent jumps and requests will add a lot of burden to the server. In fact, cookies can prevent this.
<?php
error_reporting (0);
if ($_cookie["ck"]) die ("Refresh too fast!") ");
if ($_cookie["CK"]) header ("location:http://www.baidu.com");//here if the user refreshes too fast, give the terminating PHP script or direct 302 jump
Setcookie ("CK", "1", Time () +3);/set cookie lifetime 3s
echo "hello!";
? >
Mode one:
<?php
session_start ();
$k =$_get[' K '];
$t =$_get[' t '];
$allowTime = 1800;//anti-refresh time
$ip = Get_client_ip ();
$allowT = MD5 ($ip. $k. $t);
if (!isset ($_session[$allowT]))
{
$refresh = true;
$_session[$allowT] = time ();
} ElseIf (Time ()-$_session[$allowT]> $allowTime) {
$refresh = true;
$_session[$allowT] = time ();
} else{
$refresh = false;
}
Mode two:
?
Session_Start ();
if (!emptyempty ($_post[name])) {
$data = $_post[name];
$tag = $_post[tag];
if ($_session[status]== $tag) {
echo $data;
} else{
echo "does not allow refreshing!" ";
}
}
$v = Mt_rand (1,10000);
? >
<form method= "post" Name= "Magic" action= "f5.php" ><input "type=" "hidden"
tag "name=" <?= $v?> "><input type=text name=" name "><input type=" Submit "value=" Submit ">
</form>
?
echo $v;
$_session[status] = $v;
Mode three:
?
Session_Start ();
if (!emptyempty ($_post[name])) {
$data = $_post[name];
$tag = $_post[tag];
if ($_session[status]== $tag) {
echo $data;
} else{
echo "does not allow refreshing!" ";
}
}
$v = Mt_rand (1,10000);
? >
<form method= "post" Name= "Magic" action= "f5.php" ><input "type=" "hidden"
tag "name=" <?= $v?> "><input type=text name=" name "><input type=" Submit "value=" Submit ">
</form>
?
echo $v;
$_session[status] = $v;
This is the PHP to prevent the CC attacks in a variety of ways, hoping to help prevent the Web page quickly malicious refresh.