Re: PHP Denial of service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/16/06, Richard Lynch <ceo@xxxxxxxxx> wrote:

On Fri, October 13, 2006 4:16 pm, Ryan Barclay wrote:
> A simple question I imagine, but I am wondering how I would combat DoS
> attacks by users holding the REFRESH key on their browsers?
>
> I have reproduced this error on a PHP-MYSQL website and when I hold
> the
> REFRESH key on for a while, page gen times shoot up dramatically and
> hundreds of processes are created.
>
> Is there a way I can stop this/limit the connections/processes in
> apache
> conf/php.ini?
>
> What can I do to combat this method of DoS?

Well, one thing for sure...

This question would be better addressed to Apache list.

To stay on topic, however, you could log each action the user takes,
and if they are "too fast" you can put a "sleep" call into your PHP
scripts.


ouch.. mabey a usleep() but that is a bad way to deal with things.
[getting off topic] that just makes it so you get all those requests
and apache grows closer to max_connections as ^R is hit.

[Back on topic or close]  if ^R forces the system to freeze up there
is something wrong somewhere.  For Starters... I doubt you can hit ^R,
or your client will allow ^R 200 times a second.. and i know of
systems that can handle 200 requests per second that use a db
connection via php without the server load going over 1.0.

At this point i think it is the magic eight ball that can only solve
this solution.. there are to many unknowns to really know what the
issue is.




This will only stop the user from doing what you did, not from a more
generalized DoS attack using something (slightly) more sophisticated
than the "refresh" button.


Yeah like requesting  from multiple machines all at the same time
multiple times. or would that be considered a DDoS?  if memory serves
me right, DoS is usually network flooding related vs trying to flood
processes handling.



So trying to solve this at the PHP level is most likely a Wrong Approach.


For true DoS, yeah very wrong place. i sort of have a feeling that
code/db/apache optimizations could occur before even considering DoS
things.

Curt.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux