Home >Backend Development >PHP Tutorial >PHP anti-attack code upgraded version_PHP tutorial

PHP anti-attack code upgraded version_PHP tutorial

WBOY
WBOYOriginal
2016-07-21 15:32:54868browse

不过最近几天突然糟糕了起来,有90%的攻击已经没法拦截,请看下图一天的统计:

IP攻击及开始时间 攻击次数 地点 备注
125.165.1.42--2010-11-19 02:02:19--/ 10 印度尼西亚  
125.165.26.186--2010-11-19 16:56:45--/ 1846 印度尼西亚  
151.51.238.254--2010-11-19 09:32:40--/ 4581 意大利  
151.76.40.182--2010-11-19 11:58:37--/ 4763 意大利 罗马  
186.28.125.37--2010-11-19 11:19:22--/ 170 哥伦比亚  
186.28.131.122--2010-11-19 11:28:43--/ 22 哥伦比亚  
186.28.25.130--2010-11-19 11:30:20--/ 1530 哥伦比亚  
188.3.1.108--2010-11-19 02:48:28--/ 1699 土耳其  
188.3.1.18--2010-11-19 06:46:01--/ 1358 土耳其  
188.3.34.226--2010-11-19 17:07:02--/ 1672 土耳其  
190.24.50.228--2010-11-19 12:26:38--/ 2038 哥伦比亚  
190.24.83.82--2010-11-19 14:20:10--/ 9169 哥伦比亚  
190.25.30.213--2010-11-19 14:00:44--/ 680 哥伦比亚  
190.26.29.130--2010-11-19 13:33:11--/ 510 哥伦比亚  
190.27.115.101--2010-11-19 13:53:48--/ 340 哥伦比亚  
190.27.22.222--2010-11-19 12:16:02--/ 340 哥伦比亚  
201.244.113.165--2010-11-19 11:25:55--/ 170 哥伦比亚  
201.244.113.47--2010-11-19 11:24:56--/ 147 哥伦比亚  
201.244.115.156--2010-11-19 10:13:56--/ 2031 哥伦比亚  
201.244.119.228--2010-11-19 13:50:05--/ 170 哥伦比亚  
201.245.218.155--2010-11-19 13:30:30--/ 21 哥伦比亚  
212.156.185.122--2010-11-19 08:40:36--/ 16158 土耳其  
78.160.106.60--2010-11-19 03:31:12--/ 340 土耳其  
78.162.67.77--2010-11-19 04:26:24--/ 3595 土耳其 程序已抓
78.175.64.173--2010-11-19 02:00:08--/ 2877 土耳其  
78.176.178.76--2010-11-19 06:12:05--/ 2370 土耳其  
78.177.2.86--2010-11-19 13:24:29--/ 196 土耳其  
78.181.76.51--2010-11-19 16:04:29--/ 600 土耳其  
78.184.145.63--2010-11-19 14:30:12--/ 2542 土耳其  
78.185.168.24--2010-11-19 09:02:52--/ 3877 土耳其  
78.190.79.225--2010-11-19 13:25:22--/ 3300 土耳其  
78.190.84.230--2010-11-19 06:51:33--/ 2719 土耳其  
78.191.149.47--2010-11-19 08:34:34--/ 8783 土耳其  
78.191.233.108--2010-11-19 05:10:48--/ 340 土耳其  
78.191.94.126--2010-11-19 04:34:26--/ 3091 土耳其  
85.104.231.74--2010-11-19 08:03:53--/ 3500 土耳其  
85.104.49.60--2010-11-19 04:47:12--/ 1037 土耳其  
85.106.123.116--2010-11-19 13:35:45--/ 68 土耳其  
88.224.255.96--2010-11-19 07:18:59--/ 3903 土耳其  
88.228.138.65--2010-11-19 02:12:31--/ 396 土耳其  
88.228.66.5--2010-11-19 10:44:26--/ 2797 土耳其  
88.229.12.40--2010-11-19 06:57:46--/ 6792 土耳其  
88.234.193.11--2010-11-19 08:25:42--/ 5895 土耳其  
88.236.78.79--2010-11-19 15:01:54--/ 170 土耳其  
88.238.26.12--2010-11-19 05:21:46--/ 473 土耳其  
88.238.26.154--2010-11-19 05:31:58--/ 1683 土耳其  
88.242.124.128--2010-11-19 06:53:56--/ 8401 土耳其  
88.242.65.61--2010-11-19 08:38:41--/ 1204 土耳其 程序已抓
94.122.20.157--2010-11-19 09:53:39--/ 1917 土耳其 美国 程序已抓
94.54.37.54--2010-11-19 02:44:07--/ 1096 土耳其 美国 程序已抓
95.14.1.97--2010-11-19 08:30:10--/ 167 土耳其 美国  
95.15.248.177--2010-11-19 11:14:54--/ 1454 土耳其 美国 程序已抓
       
共125008次,快的15秒172次,只抓9266次。      

This table is bad enough. Our website was attacked 120,000 times a day. If we let it go unchecked, the impact on the speed of the website will be obvious. The characteristics of this attack are that every When an attack is launched, 3-5 different IPs will attack at the same time at a rate of 3-5 times per second, totaling 9-25 times per second, and the IP will be changed every 1-6 hours, and IP and previous records are not duplicated. In this way, firstly, the website memory will suddenly be too large and the light will turn on; secondly, it will bring great instability to the network. Some IPs have been blocked and have always existed. I tried to unblock them all. Once unblocked, several IPs attacked at the same time, which even seriously overloaded the website for several minutes.

Now, let’s start the topic of this issue, why can’t we block new attacks? After research, I found that 90% of the IPs adopted a new attack plan: they can intelligently attack in turns with a 2-minute pause and a 5-minute pause. Since my last program parameters were set to a conservative plan of 600 seconds/period, I changed the parameters to a new solution of 120 times in 120 seconds, and the false kill rate was within 0.5%. After comparing the logs, I can analyze that 120 false kills in 120 seconds has never been tried, and more than 1 time in 120 seconds is only one. One customer refreshed the freight page one more time due to network problems. This is mostly because our transaction backend is not intelligent enough.

Finally, thank you all for your messages. I will think about your messages. However, my program is just a reference. It is not the best as it is adapted to local conditions. It can only be said to be humane. Now I sent the program again and only changed the time and frequency parameters. The new parameters can already capture 100% of those hacker IPs. I tested it for two days and captured 62 new IPs, mostly from Turkey.

Anti-IP attack code website ver2.0:

Copy code The code is as follows:

/*
*Anti-IP attack code website)2010-11-20,Ver2.0
*Mydalle.com Anti-refresh mechanism
*design by www.mydalle .com
*/
//Query banned IP
$ip =$_SERVER['REMOTE_ADDR'];
$fileht=".htaccess2";
if(!file_exists($fileht))file_put_contents($fileht,"");
$filehtarr=@file($fileht);
if(in_array($ip."rn",$filehtarr))die ("Warning:"."
"."Your IP address are forbided by Mydalle.com Anti-refresh mechanism, IF you have any question Pls emill to shop@mydalle.com!
(Mydalle.com Anti-refresh mechanism is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve.)");


//Add banned IP
$time=time();
$fileforbid="log/forbidchk.dat";

if(file_exists($fileforbid))
{ if($ time-filemtime($fileforbid)>30)unlink($fileforbid);
else{
$fileforbidarr=@file($fileforbid);
if($ip==substr($fileforbidarr[0 ],0,strlen($ip)))
{
if($time-substr($fileforbidarr[1],0,strlen($time))>120)unlink($fileforbid);
elseif($fileforbidarr[2]>120){file_put_contents($fileht,$ip."rn",FILE_APPEND);unlink($fileforbid);}
else{$fileforbidarr[2]++;file_put_contents ($fileforbid,$fileforbidarr);}
}
}
}

//Anti-refresh
$str="";
$file="log/ipdate .dat";
if(!file_exists("log")&&!is_dir("log"))mkdir("log",0777);
if(!file_exists($file))file_put_contents($file ,"");
$allowTime = 60;//Anti-refresh time
$allowNum=5;//Number of anti-refresh times
$uri=$_SERVER['REQUEST_URI'];
$checkip =md5($ip);
$checkuri=md5($uri);
$yesno=true;
$ipdate=@file($file);
foreach($ipdate as $k =>$v)
{ $iptem=substr($v,0,32);
$uritem=substr($v,32,32);
$timetem=substr($v, 64,10);
$numtem=substr($v,74);
if($time-$timetem<$allowTime){
if($iptem!=$checkip)$str.= $v;
else{
$yesno=false;
if($uritem!=$checkuri)$str.=$iptem.$checkuri.$time."1rn";
elseif( $numtem<$allowNum)$str.=$iptem.$uritem.$timetem.($numtem+1)."rn";
else
{
if(!file_exists($fileforbid)) {$addforbidarr=array($ip."rn",time()."rn",1);file_put_contents($fileforbid,$addforbidarr);}
file_put_contents("log/forbided_ip.log",$ip. "--".date("Y-m-d H:i:s",time())."--".$uri."rn",FILE_APPEND);
$timepass=$timetem+$allowTime-$time;
die("Warning:"."
"."Pls don't refresh too frequently, and wait for ".$timepass." seconds to continue, IF not your IP address will be forbided automatically by Mydalle .com Anti-refresh mechanism!
(Mydalle.com Anti-refresh mechanism is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve.)");
}
}
}
}
if($yesno) $str.=$checkip.$checkuri.$time."1rn";
file_put_contents($file,$str);
?>

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/322743.htmlTechArticleHowever, it has suddenly become worse in the past few days. 90% of the attacks cannot be intercepted. Please see the picture below for one day. Statistics: IP attacks and start time Number of attacks Location remarks 125.165.1.42--2010-11...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn