On Sunday 16 November 2003 10:45 pm, David Otton wrote: > On Sat, 15 Nov 2003 23:52:31 -0500, you wrote: > >Recently, a 'user' attempted to access a restricted area of my site > >repetitively (spanning five hours) entering the same url repetitively > >[probably by script]. A massive log file was generated. I would like to > > ban such behavior by limiting the number of successive 'get's a user can > > do (say 4 attempts) before an appropriate action is taken.. > > > >As a temporary measure (until I can figure a better way) the url in > > question was disabled. > > > >What I'd like to do, on a per-file basis using $_SESSION, is a combination > > of ipaddress perhaps with a counter that records the number of times that > > file was accessed, and limit the number of successive 'get's that can be > > done before the file is no longer accessible. > > Sessions won't work unless the script at the other end is co-operating by > holding state for you, which is unlikely. > > Blocking is never an ideal solution - automated processing can catch > innocent users, a DDoS can knock most sites over, IP bans can be got around > by abusing open proxies, and assholes seem to have infinite free time. It's > rarely worth getting into an arms race with them because ultimately, if > someone wants your machine off the net badly enough, there's nothing you > can do about it. > > Having said that, the earlier in the chain you block malicious traffic the > better. ISP > router > firewall > web server > script. I think maybe a > script that adds a firewall rule when triggered would be effective in your > case (a quick Google will probably find something like this). Just bear in > mind that it's not foolproof. > > You could also try blocking if a referer: is lacking... but again it's not > really reliable.
Thanks David, After reading about the options that I have at my disposal, I'm thinking that one bad 'user' in a year's operation ain't too shoddy. Perhaps the best line of attack to this problem, is to do nothing at all. Aside from filling up my webaccess.log, he didn't stop the flow of traffic, nor did he get anywhere. I seemed to do more damage than he! -- I just hosed that file good . . . sigh . . . It's been a great weekend - began with a 44 hour power outage, both phone lines dead, then I hosed my acccess file, and finished it off by taking out my developmental db -- not bad, huh? (Perhaps I need some sleep??) Tomorrow, I'll have a nice chat with my restrictive IP and figure out what I am allowed to do . . . Personally I like the firewall trigger -- put 'em out of business early! Thanks again for giving me the 'straight-goods'! Regards, andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
