IP attack upgrade, program improvements to deal with new attacks_PHP tutorial

However, things have suddenly gotten worse in the past few days. 90% of the attacks cannot be intercepted. Please see the statistics for one day in the picture below:
IP attacks and start time, number of attacks, location notes
125.165.1.42--2010-11 -19 02:02:19--/ 10 Indonesia
125.165.26.186--2010-11-19 16:56:45--/ 1846 Indonesia
151.51.238.254--2010-11-19 09: 32:40--/ 4581 Italy
151.76.40.182--2010-11-19 11:58:37--/ 4763 Rome, Italy
186.28.125.37--2010-11-19 11:19:22 --/ 170 Colombia
186.28.131.122--2010-11-19 11:28:43--/ 22 Colombia
186.28.25.130--2010-11-19 11:30:20--/ 1530 Colombia
188.3.1.108--2010-11-19 02:48:28--/ 1699 Turkey
188.3.1.18--2010-11-19 06:46:01--/ 1358 Turkey
188.3.34.226--2010-11-19 17:07:02--/ 1672 Turkey
190.24.50.228--2010-11-19 12:26:38--/ 2038 Colombia
190.24.83.82- -2010-11-19 14:20:10--/ 9169 Colombia
190.25.30.213--2010-11-19 14:00:44--/ 680 Colombia
190.26.29.130--2010-11 -19 13:33:11--/ 510 Colombia
190.27.115.101--2010-11-19 13:53:48--/ 340 Colombia
190.27.22.222--2010-11-19 12: 16:02--/ 340 Colombia
201.244.113.165--2010-11-19 11:25:55--/ 170 Colombia
201.244.113.47--2010-11-19 11:24:56- -/ 147 Colombia
201.244.115.156--2010-11-19 10:13:56--/ 2031 Colombia
201.244.119.228--2010-11-19 13:50:05--/ 170 Colombia
201.245.218.155--2010-11-19 13:30:30--/ 21 Colombia
212.156.185.122--2010-11-19 08:40:36--/ 16158 Turkey
78.160 .106.60--2010-11-19 03:31:12--/ 340 Turkey
78.162.67.77--2010-11-19 04:26:24--/ 3595 Turkish program has been caught
78.175. 64.173--2010-11-19 02:00:08--/ 2877 Turkey
78.176.178.76--2010-11-19 06:12:05--/ 2370 Turkey
78.177.2.86--2010 -11-19 13:24:29--/ 196 Turkey
78.181.76.51--2010-11-19 16:04:29--/ 600 Turkey
78.184.145.63--2010-11-19 14:30:12--/ 2542 Turkey
78.185.168.24--2010-11-19 09:02:52--/ 3877 Turkey
78.190.79.225--2010-11-19 13:25: 22--/ 3300 Turkey
78.190.84.230--2010-11-19 06:51:33--/ 2719 Turkey
78.191.149.47--2010-11-19 08:34:34--/ 8783 Turkey
78.191.233.108--2010-11-19 05:10:48--/ 340 Turkey
78.191.94.126--2010-11-19 04:34:26--/ 3091 Turkey
85.104.231.74--2010-11-19 08:03:53--/ 3500 Turkey
85.104.49.60--2010-11-19 04:47:12--/ 1037 Turkey
85.106.123.116 --2010-11-19 13:35:45--/ 68 Turkey
88.224.255.96--2010-11-19 07:18:59--/ 3903 Turkey
88.228.138.65--2010- 11-19 02:12:31--/ 396 Turkey
88.228.66.5--2010-11-19 10:44:26--/ 2797 Turkey
88.229.12.40--2010-11-19 06 :57:46--/ 6792 Turkey
88.234.193.11--2010-11-19 08:25:42--/ 5895 Turkey
88.236.78.79--2010-11-19 15:01:54 --/ 170 Turkey
88.238.26.12--2010-11-19 05:21:46--/ 473 Turkey
88.238.26.154--2010-11-19 05:31:58--/ 1683 Turkey
88.242.124.128--2010-11-19 06:53:56--/ 8401 Turkey
88.242.65.61--2010-11-19 08:38:41--/ 1204 Turkish program has been caught
94.122.20.157--2010-11-19 09:53:39--/ 1917 Turkey US program has been caught
94.54.37.54--2010-11-19 02:44:07--/ 1096 Turkey The American program has been caught
95.14.1.97--2010-11-19 08:30:10--/ 167 Turkey and the United States
95.15.248.177--2010-11-19 11:14:54--/ 1454 The Turkish American program has been caught
a total of 125,008 times, 172 times in 15 seconds, and only 9,266 times.
This table is bad enough. Our website was attacked 120,000 times a day. If we let it go unchecked, the impact on the speed of the website will be obvious. The characteristics of this attack are that every When an attack is launched, 3-5 different IPs will attack at the same time at a rate of 3-5 times per second, totaling 9-25 times per second, and the IP will be changed every 1-6 hours, and IP and previous records are not duplicated. In this way, firstly, the website memory will suddenly be too large and the light will turn on; secondly, it will bring great instability to the network. Some IPs have been blocked and have always existed. I tried to unblock them all. Once unblocked, several IPs attacked at the same time, which even seriously overloaded the website for several minutes.
Now, let’s start the topic of this issue, why can’t we block new attacks? After research, I found that 90% of the IPs adopted a new attack plan: they can intelligently attack in turns with a 2-minute pause and a 5-minute pause. Since my last program parameters were set to a conservative plan of 600 seconds/period, I changed the parameters to a new solution of 120 times in 120 seconds, and the false kill rate was within 0.5%. After comparing the logs, I can analyze that 120 false kills in 120 seconds has never been tried, and more than 1 time in 120 seconds is only one. One customer refreshed the freight page one more time due to network problems. This is mostly because our transaction backend is not intelligent enough.
Finally, thank you all for your messages. I will think about your messages. However, my program is just a reference. It is not the best as it is adapted to local conditions. It can only be said to be humane.Now I sent the program again and only changed the time and frequency parameters. The new parameters can already capture 100% of those hacker IPs. I experimented for two days and captured 62 new IPs, mostly from Turkey.
Anti-IP attack code website ver2.0:

Copy code The code is as follows:

/*
*Anti-IP attack code website)2010-11-20,Ver2.0
*Mydalle.com Anti-refresh mechanism
*design by www.mydalle .com
*/
//Query banned IP
$ip =$_SERVER['REMOTE_ADDR'];
$fileht=".htaccess2";
if(!file_exists($fileht))file_put_contents($fileht,"");
$filehtarr=@file($fileht);
if(in_array($ip."rn",$filehtarr))die ("Warning:"."
"."Your IP address are forbided by Mydalle.com Anti-refresh mechanism, IF you have any question Pls emill to shop@mydalle.com!
(Mydalle.com Anti-refresh mechanism is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve.)");

//Join Ban IP
$time=time();
$fileforbid="log/forbidchk.dat";
if(file_exists($fileforbid))
{ if($time-filemtime($fileforbid )>30)unlink($fileforbid);
else{
$fileforbidarr=@file($fileforbid);
if($ip==substr($fileforbidarr[0],0,strlen( $ip)))
{
if($time-substr($fileforbidarr[1],0,strlen($time))>120)unlink($fileforbid);
elseif($fileforbidarr [2]>120){file_put_contents($fileht,$ip."rn",FILE_APPEND);unlink($fileforbid);}
else{$fileforbidarr[2]++;file_put_contents($fileforbid,$fileforbidarr );}
}
}
}
//Anti-refresh
$str="";
$file="log/ipdate.dat";
if( !file_exists("log")&&!is_dir("log"))mkdir("log",0777);
if(!file_exists($file))file_put_contents($file,"");
$ allowTime = 60;//Anti-refresh time
$allowNum=5;//Anti-refresh times
$uri=$_SERVER['REQUEST_URI'];
$checkip=md5($ip);
$checkuri=md5($uri);
$yesno=true;
$ipdate=@file($file);
foreach($ipdate as $k=>$v)
{ $iptem=substr($v,0,32);
$uritem=substr($v,32,32);
$timetem=substr($v,64,10);
$ numtem=substr($v,74);
if($time-$timetem<$allowTime){
if($iptem!=$checkip)$str.=$v;
else{
$yesno=false;
if($uritem!=$checkuri)$str.=$iptem.$checkuri.$time."1rn";
elseif($numtem<$allowNum)$str. =$iptem.$uritem.$timetem.($numtem+1)."rn";
else
{
if(!file_exists($fileforbid)){$addforbidarr=array($ip. "rn",time()."rn",1);file_put_contents($fileforbid,$addforbidarr);}
file_put_contents("log/forbided_ip.log",$ip."--".date("Y-m-d H:i:s",time())."--".$uri."rn",FILE_APPEND);
$timepass=$timetem+$allowTime-$time;
die("Warning:" ."
"."Pls don't refresh too frequently, and wait for ".$timepass." seconds to continue, IF not your IP address will be forbided automatically by Mydalle.com Anti-refresh mechanism!< br>(Mydalle.com Anti-refresh mechanism is to enable users to have a good shipping services, but there maybe some inevitable network problems in your IP address, so that you can mail to us to solve.)");
}
}
}
}
if($yesno) $str.=$checkip.$checkuri.$time."1rn";
file_put_contents($file,$str);
?>

http://www.bkjia.com/PHPjc/322640.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/322640.htmlTechArticleHowever, it has suddenly become worse in the past few days. 90% of the attacks cannot be intercepted. Please see the picture below for one day. Statistics: IP attacks and start time Number of attacks Location remarks 125.165.1.42--2010-11...