Reload Flood Control

This is a fairly simple hack. I implemented it a couple days ago. And realized
that it had also been requested by scotty back in June.

https://vborg.vbsupport.ru/showthrea...threadid=40297

This hack limits the number of http requests to 1 request per IP address
per second. It works for both registered users as well as guests. If a users
hits the refresh button more than once per second he will be taken to the
error screen. The hack actually terminates the loading process of the page
in the early stages and prevents the server load from going up. I have
tried the refresh flood with and without this hack. And without the hack
I got the server load to go from 0.7 to about 25 with about 30 people logged
on. With the hack in place, the same refresh flood caused the load to go as high
as 1.2.

This hack requires you to create a new template. And it modifies 2 source
files: global.php and showthread.php.

In admin CP add the following template: error_floodreload
Add the following text to the template:

Code:

Sorry! The administrator has specified that users can only make one http request every 1 second.

In global.php
Look for the following code:

PHP Code:

if (!$servertoobusy) {
  require('./admin/sessions.php');
} else {
  $session = array();
  $bbuserinfo = array();
} 


Add this code directly above it:

PHP Code:

// Flood control for abusive relaods...
$user_ip=$DB_site->query_first("select host, location, lastactivity from session where host = '".addslashes($REMOTE_ADDR)."' order by lastactivity desc limit 1;");
if($REMOTE_ADDR == $user_ip[host]) {
  global $bbtitle,$logincode,$url,$scriptpath,$bbuserinfo,$session;
  $time_now = time();
  if($time_now == $user_ip[lastactivity]) {
    $DB_site->query("update session set lastactivity='$time_now' where host='".addslashes($REMOTE_ADDR)."' and lastactivity='$user_ip[lastactivity]';");
    $style=$DB_site->query_first("select * from style where userselect = 1;");
    $templatesetid = $style[templatesetid];
    $styleid = $style[styleid];
    $replacementsetid = $style[replacementsetid];
    eval("standarderror(\"".gettemplate("error_floodreload")."\");");
    exit;
  }
} 


In showthread.php
Look for the following code:

PHP Code:

// goto last post
if ($goto=="lastpost") { 


Replace it with

PHP Code:

// goto last post
if ($goto=="lastpost") {

// Flood control for abusive relaods...
  sleep(1); 


In showthread.php
Look for:

PHP Code:

// goto newest post
if ($goto=="newpost") { 


Replace it with:

PHP Code:

// goto newest post
if ($goto=="newpost") {

// Flood control for abusive relaods...
  sleep(1); 


The reason for the 1 second sleeps is to prevent the error screen from popping up when
the user clicks on the goto newest or goto last post arrows in the forum display.
Those 2 calls end up making a second recursive call to showthread.php which ends up
being within the same 1 second interval of the click itself. This way you are fooling
the flood control so that it wont catch the back to back requests.

[rapsearch]

added it but when i try it out... i don't see the text message??.. the screen pops up.. but not with the line from the template??

I did add it....

[Rapdis]

i added it all... i dont see it either.... please advise, by the way, im using 12 gb and only 450 members, i got a big problem sumwhere and need help.

[Zzed]

Ok, I updated the instructions and the attachment.

I needed to obtain the proper templateset, replacementset, and style id's in order for the error screen to load properly for those of you who have been having trouble with it.

I replaced

PHP Code:

    $templatesetid = 1; 


with

PHP Code:


    $style=$DB_site->query_first("select * from style where userselect = 1;");
    $templatesetid = $style[templatesetid];
    $styleid = $style[styleid];
    $replacementsetid = $style[replacementsetid]; 


I apologize for your inconvenience.

[rapsearch]

did what you suggested but still got the same screen??

see attachment.....

[GeorgeofCS]

Is there any way to make this hack affect just non registered members?

[Remi]

Does this hack work if you block cookies, and if not, how can I force users to enable cookies or they can't brows my board .

Thanks in advance

[X-Fan]

Hmmm, I've got a similar problem to Ghost. I installed this hack, following the steps to the letter, loaded a thread, then pressed F5 repeatedly (in fact, I sat there with my finger on the button for about 10 seconds) and the page still loaded for me - no error message at all.

[Boofo]

Quote:

09-06-02 at 04:20 AM Logician said this in Post #2
it's a very good idea and a must have hack especially for people having bandwidth problems. IMO it also fixes the gap someone could exploit by sending too many page requests for a long time and thus making your server busy all the times. It wouldnt be a problem for manual sending but a malicious hacker could always code a script to make it automatically and increase your server load dramatically. So great fix..

One minor issue though: it would prevent users open a few pages at the same time when they come to the site. For example when they make a search, they cant anymore open a few threads at the same time by clicking "Open in new browser windows" link. (which I do a lot!). Of course this is not related to you it's the nature of the hack but maybe setting the second to 0.5 instead of 1 may be a little help for these users...

What would we need to change in this code for the 0.5 setting?

[Zzed]

Since the time of last activity in the session table has a granularity of 1 second, there is not much to do to increase the precision of the time.

[Boofo]

How was Sinan (Logician) talking about doing it?