I phrased myself badly.
My problems are most likely the case of a denial of service attack, but it is hard to know for certain. My host is cheap and crappy, but i have not yet become annoyed enough at these attacks that i've deemed it time to change to a better one, since they usually happen late at night. It could also simply be a case of a crappy, overloaded host, but the regularity in which these dos 's happen make that unlikely. In any way, i'm doing this more as a way to confirm what is happening than as an effective way of stopping it, although that may be possible as well.
This is the script that i want to include. The "faked header" thing could be changed i guess if i can't get it to execute before headers are already sent. I did not write this script myself.
PHP Code:
<?php
// ENGLISH-LANGUAGE VERSION:
/*
Notes...
* $itime is the minimum number of seconds between visits _on average_ over
$itime*$imaxvisit seconds. So in the example, a visitor isn't blocked
if it visits the script multiple times in the first 5 seconds, as long
as it doesn't visit more than 60 times within 300 seconds (5 minutes).
* If the limit is reached, $ipenalty is the number of seconds a visitor
has to wait before being allowed back.
An MD5 hash is made of each visitor's IP address, and the last 3 hex digits of that hash are used to generate one of a possible 4096 filenames. If it is a new visitor, or a visitor who hasn't been seen for a while, the timestamp of the file is set to the then-current time; otherwise, it must be a recent visitor, and the time stamp is increased by $itime.
If the visitor starts loading the timer script more rapidly than $itime seconds per visit,the time stamp on the IP-hashed filename will be increasing faster than the actual time is increasing. If the time stamp gets too far ahead of the current time, the visitor is branded a bad visitor and the penalty is applied by increasing the time stamp on its file even further.
4096 separate hash files is enough that it's very unlikely you'll get two visitors at exactly the same time with the same hash, but not so many that you need to keep tidying up the files.
(Even if you do get more than one visitor with the same hash file at the same time, it's no great disaster: they'll just approach the throttle limit a little faster, which in most cases won't matter, as the limits in the example--5/60/60--are quite generous.)
This script can be simply included in each appropriate php script with this:
// Spam-Block:
include('timer.inc');
*/
// INITIALIZATIONS:
// Constants:
// Fixed:
$crlf=chr(13).chr(10);
$itime=5; // minimum number of seconds between one-visitor visits
$imaxvisit=30; // maximum visits in $itime x $imaxvisits seconds
$ipenalty=180; // seconds before visitor is allowed back
$iplogdir="logs/";
$iplogfile="ErrantIPs.Log";
// Language-dependent:
$spammer1='The Server is momentarily under heavy load.<br /><br />';
$spammer2='Please wait ';
$spammer3=' seconds and try again.';
// OPERATION:
// Make Check:
// Get file time:
$ipfile=substr(md5($_SERVER["REMOTE_ADDR"]),-3); // -3 means 4096 possible files
$oldtime=0;
if (file_exists($iplogdir.$ipfile))
{
$oldtime=filemtime($iplogdir.$ipfile);
}
// Update times:
$time=time();
if ($oldtime<$time)
{
$oldtime=$time;
}
$newtime=$oldtime+$itime;
// Stop overuser:
if ($newtime>=$time+$itime*$imaxvisit)
{
// block visitor:
touch($iplogdir.$ipfile,$time+$itime*($imaxvisit-1)+$ipenalty);
header("HTTP/1.0 503 Service Temporarily Unavailable");
header("Connection: close");
header("Content-Type: text/html");
echo '<html><head><title>Overload Warning</title></head><body><br /><br /><br /><p align="center"><strong>'.$spammer1.'</strong>'.$br;
echo $spammer2.$ipenalty.$spammer3.'</p></body></html>'.$crlf;
// log occurrence:
@$fp=fopen($iplogdir.$iplogfile,"a") or die("Could not save to file.");
if ($fp!==FALSE)
{
$useragent='<unknown user agent>';
if (isset($_SERVER["HTTP_USER_AGENT"])) $useragent=$_SERVER["HTTP_USER_AGENT"];
@fputs($fp,$_SERVER["REMOTE_ADDR"].' on '.date("D, d M Y, H:i:s").' as '.$useragent.' at '.$_SERVER["PHP_SELF"].$crlf);
}
@fclose($fp);
exit();
}
// Modify file time:
touch($iplogdir.$ipfile,$newtime);
?>
05-17-2006, 05:54 AM
Threaded Mode