Re: [PHP] PHP Denial of service
On Fri, October 13, 2006 4:16 pm, Ryan Barclay wrote: A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? What can I do to combat this method of DoS? Well, one thing for sure... This question would be better addressed to Apache list. To stay on topic, however, you could log each action the user takes, and if they are too fast you can put a sleep call into your PHP scripts. This will only stop the user from doing what you did, not from a more generalized DoS attack using something (slightly) more sophisticated than the refresh button. So trying to solve this at the PHP level is most likely a Wrong Approach. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
On 10/14/06, Ryan Barclay [EMAIL PROTECTED] wrote: It hasn't actually been attempted. However, if a couple of a users were to hold the refresh, the page generation times would go up ridiculously and clients would be waiting over 20sec for pages. As mentioned, it's a very heavy php-mysql script with lots of queries. A few questions: #1: are those queries optimized (using indexes where needed)? #2: is the code optimized.. no stupid loops. #3: in order for php to know a user aborted it has to try to output something (at least with apache on unix) to deal with #3, i used to do a little trick: ?php // some standard things like htmlhead ??php // do intensive stuff ? I dont know if that ??php trick still works but it used to force php to talk to apache and if apache said: oh you know what.. there isn't a connection so a user aborted request will exist, or if it is set to ignore user aborts, connection_aborted() will report true. Curt. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
On 10/16/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, October 13, 2006 4:16 pm, Ryan Barclay wrote: A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? What can I do to combat this method of DoS? Well, one thing for sure... This question would be better addressed to Apache list. To stay on topic, however, you could log each action the user takes, and if they are too fast you can put a sleep call into your PHP scripts. ouch.. mabey a usleep() but that is a bad way to deal with things. [getting off topic] that just makes it so you get all those requests and apache grows closer to max_connections as ^R is hit. [Back on topic or close] if ^R forces the system to freeze up there is something wrong somewhere. For Starters... I doubt you can hit ^R, or your client will allow ^R 200 times a second.. and i know of systems that can handle 200 requests per second that use a db connection via php without the server load going over 1.0. At this point i think it is the magic eight ball that can only solve this solution.. there are to many unknowns to really know what the issue is. This will only stop the user from doing what you did, not from a more generalized DoS attack using something (slightly) more sophisticated than the refresh button. Yeah like requesting from multiple machines all at the same time multiple times. or would that be considered a DDoS? if memory serves me right, DoS is usually network flooding related vs trying to flood processes handling. So trying to solve this at the PHP level is most likely a Wrong Approach. For true DoS, yeah very wrong place. i sort of have a feeling that code/db/apache optimizations could occur before even considering DoS things. Curt. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
I have just run a phpinfo and ignore_user_abort is indeed defaulting to off. It's a pretty heavy php-MySQL script. I noticed on scripts without the MySQL interaction, the server can keep up much better with the forced refreshes. Are there any other liming settings I can change? All the best, Ryan -- Ryan Barclay RBFTP Networks Ltd. DDI: +44 (0)870 490 1870 WWW: http://www.rbftpnetworks.com BBS: http://forums.rbftpnetworks.com Robert Cummings wrote: On Sat, 2006-10-14 at 01:25 +0100, Ryan Barclay wrote: Robert, Thanks for the reply. I can't seem to find ignore_user_abort in my php.ini. I would like to do it at server level, rather than individual scripts. Do you know roughly where is it? I think there were some versions with this missing in the ini, which was later fixed. I'm guessing that if ignore_user_abort is set to on, this could be the culprit? Would simply adding the following to the ini work?: ignore_user_abort = off If it's not in your php.ini and not in your source code then it's already off, unless it's being activated by an http.conf or .htaccess setting. The default for ignore_user_abort is 0. What exactly does your script do? It may be possible that whatever task it is performing prevents PHP from immediately recognizing the user abort and subsequently terminating. Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
Jon, Thanks for the reply. Yes, ignore_abort is defaulting to off, as stated in my other post. We have a Firebox III 1000 firewall on our external, however this does not have any features like this. I will look into iptables. Thanks, Ryan -- Ryan Barclay RBFTP Networks Ltd. DDI: +44 (0)870 490 1870 WWW: http://www.rbftpnetworks.com BBS: http://forums.rbftpnetworks.com Jon Anderson wrote: Ryan Barclay wrote: Thanks for the reply. I can't seem to find ignore_user_abort in my php.ini. I would like to do it at server level, rather than individual scripts. Do you know roughly where is it? I think there were some versions with this missing in the ini, which was later fixed. I'm guessing that if ignore_user_abort is set to on, this could be the culprit? Would simply adding the following to the ini work? Ignore user abort defaults to off, and doesn't necessarily help you if the clients don't terminate their connections properly, or they're actually trying to DoS you. I think your best bet is to either use some lightweight detection in PHP (and maybe send an HTTP error header if you're getting hit), or better yet, use a firewall if one is available to prevent the connections from even getting to your webserver and wasting its resources. (If your server is running on Linux, iptables should be able to do what you need, and there are more complicated solutions too.) jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
It hasn't actually been attempted. However, if a couple of a users were to hold the refresh, the page generation times would go up ridiculously and clients would be waiting over 20sec for pages. As mentioned, it's a very heavy php-mysql script with lots of queries. Ryan -- Ryan Barclay RBFTP Networks Ltd. DDI: +44 (0)870 490 1870 WWW: http://www.rbftpnetworks.com BBS: http://forums.rbftpnetworks.com Ed Lazor wrote: On Oct 13, 2006, at 2:16 PM, Ryan Barclay wrote: A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? Apache.conf ThreadsPerChild? What can I do to combat this method of DoS? How do you consider this a DoS attack? Are you seeing servers crippled because a user or a couple of users keep hitting the refresh key? Honestly, it seems extreme. Your server should be able to handle much higher loads than that, especially when PHP starts caching pages, etc.. I would start double checking the server config, etc.. Also, if you're really worried about someone attacking a site like this, you could just take advantage of PHP's auto_prepend to automatically log the IP and a time stamp of each page request... and if the last page request is within N seconds of the current request, you just redirect the user to a page that says something like server busy, try again in a moment. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
# [EMAIL PROTECTED] / 2006-10-13 22:16:18 +0100: A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? What can I do to combat this method of DoS? I haven't tried it, but perhaps this would work: apache-1.3: http://dominia.org/djao/limitipconn.html apache-2.0: http://dominia.org/djao/limitipconn2.html -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
On Oct 14, 2006, at 4:05 AM, Ryan Barclay wrote: It hasn't actually been attempted. However, if a couple of a users were to hold the refresh, the page generation times would go up ridiculously and clients would be waiting over 20sec for pages. As mentioned, it's a very heavy php-mysql script with lots of queries. I see what you're talking about. Does everyone need live data for each page request? It seems like a great opportunity for data / page caching. I'm trying to remember the name of the caching tool I used, but I ran into something similar on one of my websites a few years ago. Each page was dynamic and the server load was high. I installed caching and pages would only update occasionally... meaning that users received pages from the cache, instead of each page getting processed with each request. You could also try a reverse proxy with apache to do something similar. The limit IP stuff from Roman also looks interesting. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Denial of service
A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? What can I do to combat this method of DoS? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
On Fri, 2006-10-13 at 22:16 +0100, Ryan Barclay wrote: A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? What can I do to combat this method of DoS? Check if the following is enabled in php.ini ignore_user_abort Or in the code via: ignore_user_abort() Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
Robert, Thanks for the reply. I can't seem to find ignore_user_abort in my php.ini. I would like to do it at server level, rather than individual scripts. Do you know roughly where is it? I think there were some versions with this missing in the ini, which was later fixed. I'm guessing that if ignore_user_abort is set to on, this could be the culprit? Would simply adding the following to the ini work?: ignore_user_abort = off Best, Ryan Robert Cummings wrote: On Fri, 2006-10-13 at 22:16 +0100, Ryan Barclay wrote: A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? What can I do to combat this method of DoS? Check if the following is enabled in php.ini ignore_user_abort Or in the code via: ignore_user_abort() Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
Robert, Thanks for the reply. I can't seem to find ignore_user_abort in my php.ini. I would like to do it at server level, rather than individual scripts. Do you know roughly where is it? I think there were some versions with this missing in the ini, which was later fixed. I'm guessing that if ignore_user_abort is set to on, this could be the culprit? Would simply adding the following to the ini work?: ignore_user_abort = off Best, Ryan -- Ryan Barclay RBFTP Networks Ltd. DDI: +44 (0)870 490 1870 WWW: http://www.rbftpnetworks.com BBS: http://forums.rbftpnetworks.com Robert Cummings wrote: On Fri, 2006-10-13 at 22:16 +0100, Ryan Barclay wrote: A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? What can I do to combat this method of DoS? Check if the following is enabled in php.ini ignore_user_abort Or in the code via: ignore_user_abort() Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
On Sat, 2006-10-14 at 01:25 +0100, Ryan Barclay wrote: Robert, Thanks for the reply. I can't seem to find ignore_user_abort in my php.ini. I would like to do it at server level, rather than individual scripts. Do you know roughly where is it? I think there were some versions with this missing in the ini, which was later fixed. I'm guessing that if ignore_user_abort is set to on, this could be the culprit? Would simply adding the following to the ini work?: ignore_user_abort = off If it's not in your php.ini and not in your source code then it's already off, unless it's being activated by an http.conf or .htaccess setting. The default for ignore_user_abort is 0. What exactly does your script do? It may be possible that whatever task it is performing prevents PHP from immediately recognizing the user abort and subsequently terminating. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
Ryan Barclay wrote: Thanks for the reply. I can't seem to find ignore_user_abort in my php.ini. I would like to do it at server level, rather than individual scripts. Do you know roughly where is it? I think there were some versions with this missing in the ini, which was later fixed. I'm guessing that if ignore_user_abort is set to on, this could be the culprit? Would simply adding the following to the ini work? Ignore user abort defaults to off, and doesn't necessarily help you if the clients don't terminate their connections properly, or they're actually trying to DoS you. I think your best bet is to either use some lightweight detection in PHP (and maybe send an HTTP error header if you're getting hit), or better yet, use a firewall if one is available to prevent the connections from even getting to your webserver and wasting its resources. (If your server is running on Linux, iptables should be able to do what you need, and there are more complicated solutions too.) jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Denial of service
On Oct 13, 2006, at 2:16 PM, Ryan Barclay wrote: A simple question I imagine, but I am wondering how I would combat DoS attacks by users holding the REFRESH key on their browsers? I have reproduced this error on a PHP-MYSQL website and when I hold the REFRESH key on for a while, page gen times shoot up dramatically and hundreds of processes are created. Is there a way I can stop this/limit the connections/processes in apache conf/php.ini? Apache.conf ThreadsPerChild? What can I do to combat this method of DoS? How do you consider this a DoS attack? Are you seeing servers crippled because a user or a couple of users keep hitting the refresh key? Honestly, it seems extreme. Your server should be able to handle much higher loads than that, especially when PHP starts caching pages, etc.. I would start double checking the server config, etc.. Also, if you're really worried about someone attacking a site like this, you could just take advantage of PHP's auto_prepend to automatically log the IP and a time stamp of each page request... and if the last page request is within N seconds of the current request, you just redirect the user to a page that says something like server busy, try again in a moment. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] php, denial of service attack
I have a postnuke website and i had denial of service attack the point is the attack is one only the home php page ... with cpu 100% and few apache procceses.. Any comment ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php, denial of service attack
nabil wrote: I have a postnuke website and i had denial of service attack the point is the attack is one only the home php page ... with cpu 100% and few apache procceses.. Any comment ? It was not me. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
