It hasn't actually been attempted. However, if a couple of a users were
to hold the refresh, the page generation times would go up ridiculously
and clients would be waiting over 20sec for pages. As mentioned, it's a
very heavy php-mysql script with lots of queries.
Ryan
--
Ryan Barclay
RBFTP Networks Ltd.
DDI: +44 (0)870 490 1870
WWW: http://www.rbftpnetworks.com
BBS: http://forums.rbftpnetworks.com
Ed Lazor wrote:
On Oct 13, 2006, at 2:16 PM, Ryan Barclay wrote:
A simple question I imagine, but I am wondering how I would combat
DoS attacks by users holding the REFRESH key on their browsers?
I have reproduced this error on a PHP-MYSQL website and when I hold
the REFRESH key on for a while, page gen times shoot up dramatically
and hundreds of processes are created.
Is there a way I can stop this/limit the connections/processes in
apache conf/php.ini?
Apache.conf ThreadsPerChild?
What can I do to combat this method of DoS?
How do you consider this a DoS attack? Are you seeing servers
crippled because a user or a couple of users keep hitting the refresh
key? Honestly, it seems extreme. Your server should be able to
handle much higher loads than that, especially when PHP starts caching
pages, etc.. I would start double checking the server config, etc..
Also, if you're really worried about someone "attacking" a site like
this, you could just take advantage of PHP's auto_prepend to
automatically log the IP and a time stamp of each page request... and
if the last page request is within N seconds of the current request,
you just redirect the user to a page that says something like "server
busy, try again in a moment".
-Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
