Re: How to prevent DoS on PHP script?

[Jim Lucas <lists@xxxxxxxxx>]

Nitsan Bin-Nun wrote:
> Okay, I got the idea,
> I think you can use PHP to write .htaccess file for IP blocking or something
> like that (shared hosts allow this and I'm pretty sure that Apache .htaccess
> are able to manage IP blocking).

As long as Apache allows .htaccess files

But...   even then what IP's would you write to this?

If a person changed their IP each time they access the script, then it still 
would not work.

I would have to say that I just don't think that PHP is going to be the medium 
in which this problem has to be handled.

> HTH,
> Nitsan
>
> On 16/06/2008, Jim Lucas <lists@xxxxxxxxx> wrote:
> > Nitsan Bin-Nun wrote:
> >
> > > I think you can handle this with 2 pages, the first is checking whether
> > > the
> > > user is permitted to upload or not and if so passing him to the upload
> > > form
> > > with a simple (bool) $_SESSION variable which indicates his permissions.
> > > If you will try to access the second page and the $_SESS variable won't
> > > exist it will throw you back to page 1 to validate your permissions.
> > >
> > > Am I missing something? (its pretty simple..)
> > Yes, PHP hasn't started yet.
> >
> > When someone tries to upload a file to a server, Apache is accepting the
> > file first.  Once the file is completely uploaded, Apache hands off the
> > processing to Apache.  Problem is, by this time the DoS has already
> > happened.  Apache has waisted its time receiving the file.
> >
> > HTH
> > > On 16/06/2008, Per Jessen <per@xxxxxxxxxxxx> wrote:
> > >
> > > > Jim Lucas wrote:
> > > >
> > > > Per Jessen wrote:
> > > > > > Michelle Konzack wrote:
> > > > > >
> > > > > > My biggest problem is, that the "/fileupload.php" was always
> > > > > > > references
> > > > > > > from outside my webspace.  OK, I was thinking  this  can  be  solved
> > > > > > > by
> > > > > > > using HTTP_REFERER which has then worked for some  days  but  NOW
> > > > > > > those pigs are back and sending spoofed HTTP_REFERER.
> > > > > > >
> > > > > > > Since I have only a VHost @ISP I can not  go  deeper  into  the
> > > > > > > Apache2 config what I have done when I was running my own server.
> > > > > > >
> > > > > > > Can anyone suggest me something, how to block requests from outside?
> > > > > > Check client IP-addresses?
> > > > > >
> > > > > >
> > > > > > /Per Jessen, Zürich
> > > > > >
> > > > > >
> > > > > > The problem that the OP is going to run into is the "Chicken before
> > > > > the Egg" problem.  PHP will not start processing until the file upload
> > > > > has already been completely uploaded.
> > > > I was about to say "Then let apache check it", but I hadn't read the
> > > > last paragraph of the OPs question.
> > > >
> > > >
> > > > /Per Jessen, Zürich
> > > >
> > > >
> > > > --
> > > > PHP General Mailing List (http://www.php.net/)
> > > > To unsubscribe, visit: http://www.php.net/unsub.php
> > --
> > Jim Lucas
> >
> >   "Some men are born to greatness, some achieve greatness,
> >       and some have greatness thrust upon them."
> >
> > Twelfth Night, Act II, Scene V
> >    by William Shakespeare


--
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
       and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
    by William Shakespeare


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php