According the PHP part of the question;
Although I don't rely on PHP for this, it could be implemented but needs to consider all these
possiblities or more;
Attacker may change IP for each request
Attacker may pass parameter(s) to URI that target site doesn't care these parameter(s)
Attacker may restart the session before expiry ...
Simple pseudo;
<?php
// Assuming session is already started
$uri = md5($_SERVER['REQUEST_URI']);
$exp = 3; // 3 seconds
$hash = $uri .'|'. time();
if (!isset($_SESSION['ddos'])) {
$_SESSION['ddos'] = $hash;
}
list($_uri, $_exp) = explode('|', $_SESSION['ddos']);
if ($_uri == $uri && time() - $_exp < $exp) {
header('HTTP/1.1 503 Service Unavailable');
// die('Easy!');
die;
}
// Save last request
$_SESSION['ddos'] = $hash;
?>
BY qeremy
SEE MORE
No comments:
Post a Comment