PHP anti-attack code upgraded version_PHP tutorial

不过最近几天突然糟糕了起来，有90%的攻击已经没法拦截，请看下图一天的统计：

IP攻击及开始时间	攻击次数	地点	备注
125.165.1.42--2010-11-19 02:02:19--/	10	印度尼西亚
125.165.26.186--2010-11-19 16:56:45--/	1846	印度尼西亚
151.51.238.254--2010-11-19 09:32:40--/	4581	意大利
151.76.40.182--2010-11-19 11:58:37--/	4763	意大利 罗马
186.28.125.37--2010-11-19 11:19:22--/	170	哥伦比亚
186.28.131.122--2010-11-19 11:28:43--/	22	哥伦比亚
186.28.25.130--2010-11-19 11:30:20--/	1530	哥伦比亚
188.3.1.108--2010-11-19 02:48:28--/	1699	土耳其
188.3.1.18--2010-11-19 06:46:01--/	1358	土耳其
188.3.34.226--2010-11-19 17:07:02--/	1672	土耳其
190.24.50.228--2010-11-19 12:26:38--/	2038	哥伦比亚
190.24.83.82--2010-11-19 14:20:10--/	9169	哥伦比亚
190.25.30.213--2010-11-19 14:00:44--/	680	哥伦比亚
190.26.29.130--2010-11-19 13:33:11--/	510	哥伦比亚
190.27.115.101--2010-11-19 13:53:48--/	340	哥伦比亚
190.27.22.222--2010-11-19 12:16:02--/	340	哥伦比亚
201.244.113.165--2010-11-19 11:25:55--/	170	哥伦比亚
201.244.113.47--2010-11-19 11:24:56--/	147	哥伦比亚
201.244.115.156--2010-11-19 10:13:56--/	2031	哥伦比亚
201.244.119.228--2010-11-19 13:50:05--/	170	哥伦比亚
201.245.218.155--2010-11-19 13:30:30--/	21	哥伦比亚
212.156.185.122--2010-11-19 08:40:36--/	16158	土耳其
78.160.106.60--2010-11-19 03:31:12--/	340	土耳其
78.162.67.77--2010-11-19 04:26:24--/	3595	土耳其	程序已抓
78.175.64.173--2010-11-19 02:00:08--/	2877	土耳其
78.176.178.76--2010-11-19 06:12:05--/	2370	土耳其
78.177.2.86--2010-11-19 13:24:29--/	196	土耳其
78.181.76.51--2010-11-19 16:04:29--/	600	土耳其
78.184.145.63--2010-11-19 14:30:12--/	2542	土耳其
78.185.168.24--2010-11-19 09:02:52--/	3877	土耳其
78.190.79.225--2010-11-19 13:25:22--/	3300	土耳其
78.190.84.230--2010-11-19 06:51:33--/	2719	土耳其
78.191.149.47--2010-11-19 08:34:34--/	8783	土耳其
78.191.233.108--2010-11-19 05:10:48--/	340	土耳其
78.191.94.126--2010-11-19 04:34:26--/	3091	土耳其
85.104.231.74--2010-11-19 08:03:53--/	3500	土耳其
85.104.49.60--2010-11-19 04:47:12--/	1037	土耳其
85.106.123.116--2010-11-19 13:35:45--/	68	土耳其
88.224.255.96--2010-11-19 07:18:59--/	3903	土耳其
88.228.138.65--2010-11-19 02:12:31--/	396	土耳其
88.228.66.5--2010-11-19 10:44:26--/	2797	土耳其
88.229.12.40--2010-11-19 06:57:46--/	6792	土耳其
88.234.193.11--2010-11-19 08:25:42--/	5895	土耳其
88.236.78.79--2010-11-19 15:01:54--/	170	土耳其
88.238.26.12--2010-11-19 05:21:46--/	473	土耳其
88.238.26.154--2010-11-19 05:31:58--/	1683	土耳其
88.242.124.128--2010-11-19 06:53:56--/	8401	土耳其
88.242.65.61--2010-11-19 08:38:41--/	1204	土耳其	程序已抓
94.122.20.157--2010-11-19 09:53:39--/	1917	土耳其 美国	程序已抓
94.54.37.54--2010-11-19 02:44:07--/	1096	土耳其 美国	程序已抓
95.14.1.97--2010-11-19 08:30:10--/	167	土耳其 美国
95.15.248.177--2010-11-19 11:14:54--/	1454	土耳其 美国	程序已抓
共125008次，快的15秒172次，只抓9266次。

This table is bad enough. Our website was attacked 120,000 times a day. If we let it go unchecked, the impact on the speed of the website will be obvious. The characteristics of this attack are that every When an attack is launched, 3-5 different IPs will attack at the same time at a rate of 3-5 times per second, totaling 9-25 times per second, and the IP will be changed every 1-6 hours, and IP and previous records are not duplicated. In this way, firstly, the website memory will suddenly be too large and the light will turn on; secondly, it will bring great instability to the network. Some IPs have been blocked and have always existed. I tried to unblock them all. Once unblocked, several IPs attacked at the same time, which even seriously overloaded the website for several minutes.

Now, let’s start the topic of this issue, why can’t we block new attacks? After research, I found that 90% of the IPs adopted a new attack plan: they can intelligently attack in turns with a 2-minute pause and a 5-minute pause. Since my last program parameters were set to a conservative plan of 600 seconds/period, I changed the parameters to a new solution of 120 times in 120 seconds, and the false kill rate was within 0.5%. After comparing the logs, I can analyze that 120 false kills in 120 seconds has never been tried, and more than 1 time in 120 seconds is only one. One customer refreshed the freight page one more time due to network problems. This is mostly because our transaction backend is not intelligent enough.

Finally, thank you all for your messages. I will think about your messages. However, my program is just a reference. It is not the best as it is adapted to local conditions. It can only be said to be humane. Now I sent the program again and only changed the time and frequency parameters. The new parameters can already capture 100% of those hacker IPs. I tested it for two days and captured 62 new IPs, mostly from Turkey.

Anti-IP attack code website ver2.0:

Copy code The code is as follows:

/*
*Anti-IP attack code website)2010-11-20,Ver2.0
*Mydalle.com Anti-refresh mechanism
*design by www.mydalle .com
*/
//Query banned IP
$ip =$_SERVER['REMOTE_ADDR'];
$fileht=".htaccess2";
if(!file_exists($fileht))file_put_contents($fileht,"");
$filehtarr=@file($fileht);
if(in_array($ip."rn",$filehtarr))die ("Warning:"."
"."Your IP address are forbided by Mydalle.com Anti-refresh mechanism, IF you have any question Pls emill to shop@mydalle.com!
(Mydalle.com Anti-refresh mechanism is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve.)");


//Add banned IP
$time=time();
$fileforbid="log/forbidchk.dat";

if(file_exists($fileforbid))
{ if($ time-filemtime($fileforbid)>30)unlink($fileforbid);
else{
$fileforbidarr=@file($fileforbid);
if($ip==substr($fileforbidarr[0 ],0,strlen($ip)))
{
if($time-substr($fileforbidarr[1],0,strlen($time))>120)unlink($fileforbid);
elseif($fileforbidarr[2]>120){file_put_contents($fileht,$ip."rn",FILE_APPEND);unlink($fileforbid);}
else{$fileforbidarr[2]++;file_put_contents ($fileforbid,$fileforbidarr);}
}
}
}

//Anti-refresh
$str="";
$file="log/ipdate .dat";
if(!file_exists("log")&&!is_dir("log"))mkdir("log",0777);
if(!file_exists($file))file_put_contents($file ,"");
$allowTime = 60;//Anti-refresh time
$allowNum=5;//Number of anti-refresh times
$uri=$_SERVER['REQUEST_URI'];
$checkip =md5($ip);
$checkuri=md5($uri);
$yesno=true;
$ipdate=@file($file);
foreach($ipdate as $k =>$v)
{ $iptem=substr($v,0,32);
$uritem=substr($v,32,32);
$timetem=substr($v, 64,10);
$numtem=substr($v,74);
if($time-$timetem<$allowTime){
if($iptem!=$checkip)$str.= $v;
else{
$yesno=false;
if($uritem!=$checkuri)$str.=$iptem.$checkuri.$time."1rn";
elseif( $numtem<$allowNum)$str.=$iptem.$uritem.$timetem.($numtem+1)."rn";
else
{
if(!file_exists($fileforbid)) {$addforbidarr=array($ip."rn",time()."rn",1);file_put_contents($fileforbid,$addforbidarr);}
file_put_contents("log/forbided_ip.log",$ip. "--".date("Y-m-d H:i:s",time())."--".$uri."rn",FILE_APPEND);
$timepass=$timetem+$allowTime-$time;
die("Warning:"."
"."Pls don't refresh too frequently, and wait for ".$timepass." seconds to continue, IF not your IP address will be forbided automatically by Mydalle .com Anti-refresh mechanism!
(Mydalle.com Anti-refresh mechanism is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve.)");
}
}
}
}
if($yesno) $str.=$checkip.$checkuri.$time."1rn";
file_put_contents($file,$str);
?>

http://www.bkjia.com/PHPjc/322743.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/322743.htmlTechArticleHowever, it has suddenly become worse in the past few days. 90% of the attacks cannot be intercepted. Please see the picture below for one day. Statistics: IP attacks and start time Number of attacks Location remarks 125.165.1.42--2010-11...