PHP uses Session to prevent CC attacks

 

The so-called CC attack means that the other party uses programs or some agents to continuously simulate a large number of concurrent accesses to your website. As a result, your website cannot be processed and is in a state of downtime. In this case, your statistical system (which may be quantum or Baidu) cannot be used. However, we can use some anti-attack software, but the effect is sometimes not obvious.

 

How can we know it's a CC attack? If you are a virtual host user, when you are under CC attack, your host's CPU is at a peak due to a large number of concurrent accesses, And the request cannot be processed for a certain period of time, causing the server to crash, "service unariable" appears ". If you are a vps user, when you find that your website cannot be accessed, ftp is always out of "Connecting FTP data socket", and then the Website Opens abnormally slowly, and cannot be opened completely, then, your vps Management Platform (commonly used free Management Panel kloxo) cannot be opened. No matter how you restart vps, you still cannot perform the above operations, or after you restart vps, it may take a few seconds. In this case, we can determine that it is a CC attack. The cause is that your vps resources are exhausted.

 

In this case, if you do not understand ssh or cannot log on to ssh, you can only turn to the service provider to ask them to help you temporarily recover the vps. However, this is not a long-term plan, someone else can change the IP address to attack you. In this case, you can try the following methods to help you to a certain extent. Of course, if someone else wants to destroy you and you are not technically competent, then you know the consequences...

 

Below is a piece of PHP code I found on the Internet. After verification, it can play a certain anti-CC effect.

 

 

$ P_S_T = $ t_array [0] + $ t_array [1];

$ Timestamp = time ();

Session_start ();

$ Ll_nowtime = $ timestamp;

If (session_is_registered ('ll _ lasttime ')){

$ Ll_lasttime = $ _ SESSION ['ll _ lasttime'];

$ Ll_times = $ _ SESSION ['ll _ times '] + 1;

$ _ SESSION ['ll _ times '] = $ ll_times;

} Else {

$ Ll_lasttime = $ ll_nowtime;

$ Ll_times = 1;

$ _ SESSION ['ll _ times '] = $ ll_times;

$ _ SESSION ['ll _ lasttime '] = $ ll_lasttime;

}

If ($ ll_nowtime-$ ll_lasttime) = 5 ){

Header (sprintf ("Location: % s", 'HTTP: // www.bkjia.com '));

Exit;

}

} Else {

$ Ll_times = 0;

$ _ SESSION ['ll _ lasttime'] = $ ll_nowtime;

$ _ SESSION ['ll _ times '] = $ ll_times;

}

 

Main function: in 5 seconds continuously refresh the page more than 10 times will point to the local http://www.bkjia.com, note, here 5 and 10 there is the local address, you can modify the settings according to your own needs, but this setting is generally enough.

 

The above code can be stored in the inclusion file of each PHP file, so that each page can be protected against CC attacks. You can also set the parameters according to your own situation. If zencart is used, you can directly put it in the index. php file under the root directory. For other methods, refer to zencart.

 

Another advanced method is to obtain the attacker's ip address through a file and prevent the attacker from accessing the network. The Code is as follows:

 

 

<? Php

If (isset ($ _ SERVER )){

$ Realip = $ _ SERVER [HTTP_X_FORWARDED_FOR];

}

Else

{

$ Realip = getenv ("HTTP_X_FORWARDED_FOR ");

}

If ($ realip <> ""){

$ Remoteip = $ _ SERVER ['remote _ ADDR '];

Log_ip ($ remoteip, $ realip );

}

Function log_ip ($ remote_ip, $ real_ip)

{

$ Temp_time = date ("y-m-d G: I: s ");

$ Temp_result = $ temp_time. "t". $ real_ip. "t". $ remote_ip. "n ";

If (! $ Fhandle = fopen ("cc_log.txt", "a + ")){

Print "error ";

Exit;

}

Fwrite ($ fhandle, $ temp_result );

Fclose ($ fhandle );

}

?>

 

Function of this code segment:

 

Record the real IP address accessed by the proxy to the log for troubleshooting and analysis.

Below is the content of cc_log.txt (this code is produced due to CC attack software attacks)

 

Time Real_ip Remote_ip <= this line is added by myself

09-09-05 13:50:47 122.144.131.72 60.248.212.230

09-09-05 13:50:47 122.144.131.72 60.248.212.230

09-09-05 13:50:47 122.144.131.72 60.248.212.230

09-09-05 13:50:48 122.144.131.72 60.248.212.230

09-09-05 13:50:48 122.144.131.72 60.248.212.230

09-09-05 13:50:48 122.144.131.72 60.248.212.230

09-09-05 13:50:49 122.144.131.72 60.248.212.230

09-09-05 13:50:49 122.144.131.72 219.146.172.91

09-09-05 13:50:49 122.144.131.72 219.146.172.91

09-09-05 13:50:49 122.144.131.72 219.146.172.91

09-09-05 13:50:49 122.144.131.72 219.146.172.91

09-09-05 13:50:49 122.144.131.72 219.146.172.91

09-09-05 13:50:49 122.144.131.72 60.248.212.230

09-09-05 13:50:49 122.144.131.72 60.248.212.230

09-09-05 13:50:50 122.144.131.72 219.146.172.91

09-09-05 13:50:50 122.144.131.72 219.146.172.91

09-09-05 13:50:50 122.144.131.72 219.146.172.91

09-09-05 13:50:50 122.144.131.72 219.146.172.91

09-09-05 13:50:50 122.144.131.72 219.146.172.91

09-09-05 13:50:51 122.144.131.72 60.248.212.230

 

Access this server from the real IP address 122.144.131.72 with the proxy IP address (60.248.212.230, 219.146.172.91) within just four seconds.

There is a problem. In this case, we should use the firewall (iptables) to disable these real IP addresses so that their requests will be Deny at the entrance.

From Kam's Blog™