|
|
Posted by frizzle on 12/20/06 09:01
Jerry Stuckle wrote:
> Erwin Moller wrote:
> > frizzle wrote:
> >
> >
> >>Erwin Moller schreef:
> >>
> >>
> >>>Erwin Moller wrote:
> >>>
> >>>
> >>>>frizzle wrote:
> >>>>
> >>>>
> >>>>>frizzle wrote:
> >>>>>
> >>>>>>Erwin Moller wrote:
> >>>>>>
> >>>>>>>frizzle wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>>Hi there,
> >>>>>>>>
> >>>>>>>>I need a function to prevent a page from being loaded too often
> >>>>>>>>too fast.
> >>>>>>>>So say, one is only allowed to refresh a single page 5 times in
> >>>>>>>>10 seconds, or 10 times in 5 seconds (or whatever ... ).
> >>>>>>>>If the load frequency exceeds that, the site calls exit(); And a
> >>>>>>>>message is displayed. Just like Expression Engine does ...
> >>>>>>>>
> >>>>>>>>This way i want to protect the DB from being queried rediculously
> >>>>>>>>often, and maybe even protect it from DDOS attacks.
> >>>>>>>>
> >>>>>>>>I hope it's clear. I don't know where to start ..
> >>>>>>>>
> >>>>>>>>Thanks!
> >>>>>>>
> >>>>>>>Hi,
> >>>>>>>
> >>>>>>>You have to implement some kind of countingmechanism when the page
> >>>>>>>starts. You can store the timestamp (now) in a database once the
> >>>>>>>page runs, and check if it has been accessed more than X times last
> >>>>>>>Y seconds. Just build it. :-)
> >>>>>>>
> >>>>>>>Of course this check will slow down each request to the page a
> >>>>>>>little, but if the load of running the whole page is much higher,
> >>>>>>>this may be worth the time.
> >>>>>>>
> >>>>>>>Regards,
> >>>>>>>Erwin Moller
> >>>>>>
> >>>>>>Would this be a good thing to do with sessions ?
> >>>>>
> >>>>>Not to be stupid here, but i don't completely get one thing:
> >>>>>
> >>>>>Say one can load 5 times in 5 seconds;
> >>>>>
> >>>>>If someone loads the page at second 1, and then reloads three times
> >>>>>between second 3 and five, this would be 4 loads in 5 seconds. But if
> >>>>>then he reloads 3 times between seconds 5 and 7, it's 6 loads in (less
> >>>>>then) 5 seconds, though AFAIK your idea would have "approved" this.
> >>>>>
> >>>>>How could i fix this?
> >>>>>
> >>>>>Thanks!
> >>>>
> >>>>Hi,
> >>>>
> >>>>first question: Session.
> >>>>I was unsure if you wanted to protect against a single user or against
> >>>>all users.
> >>>>If you want to protect against a single user loading the page too much,
> >>>>you should use session, BUT if that visitor wants to circumvent your
> >>>>sessionlogic, it is easy.
> >>>>Here is why: If you want to use a session with a visitor you send along
> >>>>a sessionid with each request and response. The sessionid is stored in
> >>>>the URL or cookie.
> >>>>Both can easily be manipulated by the visitor, so this will not really
> >>>>work.
> >>>>
> >>>>It would make more sense to use the remote IP-address to maximize the
> >>>>number of requests to your page.
> >>>>
> >>>>Second querstion: How to implement the quota X times per Y secs?
> >>>>
> >>>>just a rouch idea based on IP:
> >>>>create a table like this:
> >>>>CREATE TABLE tblrequest(
> >>>> IPnum text,
> >>>> lastrequest datetime
> >>>>)
> >>>>
> >>>>Now above your script do this:
> >>>>1) Get the remote IP
> >>>>Use remoteadress, read more here:
> >>>>http://nl3.php.net/manual/en/function.getenv.php
> >>>>
> >>>>2) delete from tblrequest ALL requests older than (now - Y secs)
> >>>>
> >>>>3) check if this IP has already exceeded the quota:
> >>>>Something like:
> >>>>SELECT COUNT(IPnum) FROM tblrequest
> >>>> WHERE (IPnum = '<IPnum found in step1>');
> >>>>
> >>>>if the count exceeds X, exit, otherwise continue with the rest of the
> >>>>script.
> >>>
> >>>Oops forgot to mention the obvious:
> >>>of course insert it in the table. :-)
> >>>
> >>>INSERT INTO tblrequest (IPnum,lastrequest)
> >>> VALUES ('<IPnum found in step1>','now');
> >>>
> >>>Regards,
> >>>Erwin Moller
> >>
> >>Hmm, this kind of overlaps my other issue:
> >>Login in users. I know there are a lot of topics out there, but none of
> >>them seem to hive a real answer:
> >>
> >>I was told using IP (also with pageloads) isn't safe as some ISP's
> >>change IP addresses.
> >
> >
> > True.
> > I heard AOL does that.
> > But you wouldn't be the first to ignore them. ;-)
> >
> > And in your case it doesn't matter. If nyou protect your pages based on
> > remote IP, the fact that these user change IP adresses will not block them.
> >
> > But I think you have little choice. Since 'protecting' your pages via
> > Sessions can easily circumvented as I described in my other posting.
> >
> > Are sessions really that unsafe? I thought they
> >
> >>could only be manipulated if you have access to the server ...
> >
> >
> > Many tricks exist to breach sessions.
> > I wouldn't say 'session are unsafe' but a little knowledge on their workings
> > won't hurt to protect yourself.
> >
> > A few possible problems with sessions:
> > - session hijacking. Somebody taps in on the internettraffic and sees your
> > sessionid and use it (while it is still active = not timed out) to gain
> > access to the server like the real user does.
> > (This can be blocked by storing the IP number in the session and when it
> > changes, refuse the request.)
> > Hijacking can also be blocked if you use safe transport via https/ssl.
> >
>
> Not reliably. Many companies have proxies, where everyone in the
> company would have the same IP address. And, as frizzle indicated, some
> companies use multiple proxies - where the same user could get a
> different IP address with every request.
>
> Saving the IP in the session is not a safe way of doing it. If your
> session is sensitive, use a secure connection (https).
>
> > - Same server / another user on that server has access to the directory
> > where the sessions are stored. (Talk with your ISP, or check yourself: can
> > you see the content of the sessiondirectory? Can you open a random
> > sessionfile, not belonging to your site, in there?)
> >
>
> Very true.
>
> > - Session fixation
> > A link is provided on: http://nl3.php.net/manual/en/ref.session.php
> >
> > I think I would use IP-block scheme in your case, not sessions, since a new
> > session can easily be started on each request.
> >
>
> I agree. It's not foolproof, but it's about the best you'll do.
>
> But I'll also add that many DOS attacks come from hackers with hundreds
> of thousands of hijacked machines available to them. Even blocking by
> IP won't necessarily be very effective.
>
>
>
> > Regards,
> > Erwin Moller
> >
> >
> >>
> >>Thanks for explaining.
> >
> >
>
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================
Thank you both for helping. I believe i learned something now about
fixation, but i still don't understand how to do it now.
Are there any tutorials with code examples based on what you think is
good out there?
Thanks for helping.
Frizzle.
[Back to original message]
|