PHP，.htaccess，DDoS和快速的请求保护 [英] PHP, .htaccess, DDoS & speedy request protection

问题描述

我有一个问题，我构建了这个小脚本来检查某个IP是否淹没了我的网站。
这样做时，我拒绝了.htaccess文件中的IP。我的问题是，有人可以告诉我此脚本是否完全没用或值得尝试...该脚本在配置文件中调用，因此它在每个页面加载时运行。

I have a question, i built this little script to check if a certain ip is flooding my website. When it does, i deny the ip in the .htaccess file. My question is, can somebody tell me if this script is completely useless or worth trying... The script is called in the config file therefore it runs on every pageload.

<?php
#get the visitor ip
$ip = $_SERVER["REMOTE_ADDR"];

#start the session
@session_start();

#check if the ip is banned
if( $_SESSION['~b'] ){

#check if we can open htaccess
$fp = @fopen('./.htaccess','a'); 
    if($fp){
        #add the ip to htaccess
        @fwrite($fp,"\r\ndeny from $ip"); 
        #close
        @fclose($fp);
        #destroy the session
        @session_destroy();
        @mail("my-email","IP Banned","Ip: $ip");
    }
    #let the user know why we deny him or her access
    die('To many requests.');
    }
#get the filename and location
$f = './log/'.@ip2long($ip);

#check if the file exists
if ( @is_file($f) ) {
        #get the last filetime
        $a = @filemtime($f);
        #touch the file, give a new filetime
        @touch($f,time());
        #the ip is not banned
        $_SESSION['~b']  = false;
        #add the time diff
        $_SESSION['~r'] += @time()-$a;
        #add the latest hit
        $_SESSION['~h'] += 1;
    }else{
        #create the file if it doesn't exist
        @file_put_contents($f,''); #size: 0kb
        #if touch() doesn't work
        #chmod($ipfile,0755); 
    }

#calculate the diff after 10 hits, and ban when the avg is smaller than 0.25 seconds
if( $_SESSION['~h'] > 10 && ($_SESSION['~r']/$_SESSION['~h']) < 0.25 ) $_SESSION['~b'] = true;
?>

只是遵循了避免使用SESSIONS的建议，所以我使它基于文件，而不必依赖cookie和会话：

Just followed the advice to avoid SESSIONS, so i made it file based, without having to be depending on cookies and session:

<?php
# get the visitor ip
$i = $_SERVER["REMOTE_ADDR"];
# get the filename and location
$f = './log/'.ip2long($i).'.dat';
# check if the file exists and we can write
if ( is_file($f) ) {
    # get the last filetime
    $a = filemtime($f);
    # get the file content
    $b = file_get_contents($f);
    # create array from hits & seconds
    $d = explode(':',$b);
    # calculate the new result
    $h = (int)$d[0] + 1;
    $s = (int)$d[1] + (time()-$a);  
    # add the new data tot text file
    file_put_contents($f,"$h:$s",LOCK_EX);
    unset($d);
}else{
    # create the file if it doesn't exist hits:seconds
    file_put_contents($f,"1:1",LOCK_EX); #size: 3kb
    # to make sure we can write
    # chmod($f,0755); 
    # set the hits to zero
    $h = 0;
}
# create a result var
$r = $h > 10 ? (float)$s/$h : (float)1;
# calculate the diff after 10 hits, and ban when the avg is smaller than 0.20 seconds (5 hits per second)
if( $r < 0.20 ) {
    # check if we can open htaccess
    $fp = @fopen('./.htaccess','a'); 
    if($fp){
        # add the ip to htaccess
        @fwrite($fp,"\r\ndeny from $i"); 
        # close
        @fclose($fp);
        # mail the admin
        @mail("email","IP Banned","Ip: $i with $r sbh (Seconds Between Hits)");
    }
    # let the user know why we deny him or her access
    die('To many requests.');
    # remove the file
    unlink($f);
}
# if the user leaves, reset
if( $r > 30 ) {
    unlink($f);
}
echo 'Result: '.$r.'sbh (Seconds Between Hits)';
?>

推荐答案

如果您也想阻止临时用户发送在一定时间内有很多请求，然后是，脚本可以工作。

If you want to stop the casual user from sending too many requests in a certain amount of time, then yes, the script could work. Bring up a catpcha screen and you're in business.

BUT

真正的答案是否。

此代码的主要错误取决于确定用户活动频率的会话。一个好的攻击者可以用禁用了Cookie的请求充斥您的服务器，并欺骗其IP。

The primary mistake with this code is depending on a session to determine the frequency of the user's activity. A "good" attacker can flood your server with requests with cookies disabled, as well as spoof his/her IP.

一种阻止攻击的方法是进入服务器级别，并安装iptables。实际上，大多数Linux发行版都附带iptables。

One way to stop attacks is to go to the server level, and install iptables. In fact, iptables ships with most linux distros. It needs little configuration and works well out of the box.

另一种方法，如果您对服务器具有root访问权限，则可以将会话处理移至Memcached。

Another way, if you have root access to your server, is to move session handling to Memcached. It has a function called flood control that is pretty BOSS.

另一种防止DDOS的途径来自第三方服务，例如
blockdos
http://www.blockdos.net/

Another route to prevent DDOS are from third party services such as blockdos http://www.blockdos.net/

Kinda价格昂贵，但它可能对您有用。

Kinda pricey, but it could work for you.

但是PHP本身无法配置为处理DDOS攻击。在进入PHP脚本之前，您需要在要审核的所有请求之前放置某种设备或防火墙。

But PHP by itself cannot be configured to handle DDOS attacks. You need to put some kind of appliance or firewall in front of all requests to be vetted before going to your PHP scripts.

这篇关于PHP，.htaccess，DDoS和快速的请求保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！