NYCPHP Meetup

[Michael B Allen]

On 2/28/08, Randal Rust <randalrust at gmail.com> wrote:
> we are getting hundreds of hits per minute from what appear to be fake
>  IP addresses. i am currently writing a script that will send these
>  requests to an error page prior to making the database connection.
>
>  i am doing an explode() on the $_SERVER['REMOTE_HOST]  to get the
>  first part of the IP. Does that make sense?
>
>  this is only temporary fix. i'll need to come up with something more permanent.

Hi Randal,

I've never personally had an issue like this but I have a few ideas for you.

First, looking at the IPs isn't going to do you any good if they truly
are random. It just means their spoofed.

To the very end of the script being hit, try add the following for a
few minutes:

sleep(5);

If you're lucky, the HTTP client isn't smart enough not to wait for
the response. Look at the logs and see if the requests are still
coming in as frequently. If they are not it is one or maybe a few
clients and definitely an attack of some kind. If it does not slow
things down, either the HTTP client isn't waiting for the response or
it's a distributed attack or it's not actually an attack at all and
you're just popular today.

You might also try:

flush();
sleep(1);

This shouldn't bother regular users but if it's a single client this
might help (or might not).

Then, with some breathing room in place you need to look at:

* The GET request string
* QUERY_STRING parameters
* The USER_AGENT string
* headers

Get a packet capture like:

# tcpdump -s 0 -w out.pcap port 80

and look at the whole request in WireShark. Try to identify the
pattern. Then compose a small function called 'is_annoying' that tests
for that pattern and replace your stop gap code with it:

if (is_annoying()) {
    sleep(10);
    die();
}

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/