Re: [PHP] How to prevent DoS on PHP script?
- Date: Mon, 16 Jun 2008 22:11:54 +0200
- From: "Nitsan Bin-Nun" <nitsanbn@xxxxxxxxx>
- Subject: Re: [PHP] How to prevent DoS on PHP script?
Umm yes I don't think so too, but thats one of the only possibile options..
so give it a shot because you have nothing to loose (:
I also think he should speak to the server administrator / the guy he pays
him the money and ask what to do, I'm pretty sure that he had already
encountered something like this before.
On 16/06/2008, Jim Lucas <lists@xxxxxxxxx> wrote:
>
> Nitsan Bin-Nun wrote:
>
>> Okay, I got the idea,
>> I think you can use PHP to write .htaccess file for IP blocking or
>> something
>> like that (shared hosts allow this and I'm pretty sure that Apache
>> .htaccess
>> are able to manage IP blocking).
>>
>>
> As long as Apache allows .htaccess files
>
> But... even then what IP's would you write to this?
>
> If a person changed their IP each time they access the script, then it
> still would not work.
>
> I would have to say that I just don't think that PHP is going to be the
> medium in which this problem has to be handled.
>
> HTH,
>> Nitsan
>>
>> On 16/06/2008, Jim Lucas <lists@xxxxxxxxx> wrote:
>>
>>> Nitsan Bin-Nun wrote:
>>>
>>> I think you can handle this with 2 pages, the first is checking whether
>>>> the
>>>> user is permitted to upload or not and if so passing him to the upload
>>>> form
>>>> with a simple (bool) $_SESSION variable which indicates his permissions.
>>>> If you will try to access the second page and the $_SESS variable won't
>>>> exist it will throw you back to page 1 to validate your permissions.
>>>>
>>>> Am I missing something? (its pretty simple..)
>>>>
>>>>
>>>> Yes, PHP hasn't started yet.
>>>
>>> When someone tries to upload a file to a server, Apache is accepting the
>>> file first. Once the file is completely uploaded, Apache hands off the
>>> processing to Apache. Problem is, by this time the DoS has already
>>> happened. Apache has waisted its time receiving the file.
>>>
>>> HTH
>>>
>>>> On 16/06/2008, Per Jessen <per@xxxxxxxxxxxx> wrote:
>>>>
>>>> Jim Lucas wrote:
>>>>>
>>>>> Per Jessen wrote:
>>>>>
>>>>>> Michelle Konzack wrote:
>>>>>>>
>>>>>>> My biggest problem is, that the "/fileupload.php" was always
>>>>>>>
>>>>>>>> references
>>>>>>>> from outside my webspace. OK, I was thinking this can be solved
>>>>>>>> by
>>>>>>>> using HTTP_REFERER which has then worked for some days but NOW
>>>>>>>> those pigs are back and sending spoofed HTTP_REFERER.
>>>>>>>>
>>>>>>>> Since I have only a VHost @ISP I can not go deeper into the
>>>>>>>> Apache2 config what I have done when I was running my own server.
>>>>>>>>
>>>>>>>> Can anyone suggest me something, how to block requests from outside?
>>>>>>>>
>>>>>>>> Check client IP-addresses?
>>>>>>>
>>>>>>>
>>>>>>> /Per Jessen, Zürich
>>>>>>>
>>>>>>>
>>>>>>> The problem that the OP is going to run into is the "Chicken before
>>>>>>>
>>>>>> the Egg" problem. PHP will not start processing until the file upload
>>>>>> has already been completely uploaded.
>>>>>>
>>>>>> I was about to say "Then let apache check it", but I hadn't read the
>>>>> last paragraph of the OPs question.
>>>>>
>>>>>
>>>>> /Per Jessen, Zürich
>>>>>
>>>>>
>>>>> --
>>>>> PHP General Mailing List (http://www.php.net/)
>>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>>
>>>>>
>>>>>
>>>>> --
>>> Jim Lucas
>>>
>>> "Some men are born to greatness, some achieve greatness,
>>> and some have greatness thrust upon them."
>>>
>>> Twelfth Night, Act II, Scene V
>>> by William Shakespeare
>>>
>>>
>>>
>>
>
> --
> Jim Lucas
>
> "Some men are born to greatness, some achieve greatness,
> and some have greatness thrust upon them."
>
> Twelfth Night, Act II, Scene V
> by William Shakespeare
>
>