Jump to content
MakeWebGames

Stop Auto Refreshers and multi IP logins


misterme

Recommended Posts

This was a script I modified to work with mc, the IP s stop multi registering but not the same IP s from multi logins as the connections would be hard to limit considering noobs dont set up thier browsers correctly, so after many trials and tribulations, I decided to take a SQL flood preventer designed for PHP Nuke and convert it to use with MC Codes, **Notice Im not saying I wrote this Im saying I edited it to work**

This counts the number of rows in a SQL Table then rejects too many if you look at the coding carefully you will see why and how it stops Cheaters of all natures ENJOY

 

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

 

Create antidoss.php and the following

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

 

How the beginning of my header.php looks

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

you may edit the following line in the header to adjust the sensitivity to your liking

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Including in the header.php will make it pull to every page associated with the site

Link to comment
Share on other sites

Guest Anonymous

Re: Stop Auto Refreshers and multi IP logins

SQL flood preventer -- lol -- Which uses... SQL ooo. Anybody else see the obvious problem here?

Why don't you use the built-in facility in SQL where you set the maximum number of queries, connections or updates per hour plus the number of user connections?

Attempting to write anti-dos/ddos in PHP is dangerous. It is possible, but you are safer relying on the machine itself.

Link to comment
Share on other sites

Re: Stop Auto Refreshers and multi IP logins

Um because of the Obvious scenario of the site sitting or not sitting on a dedicated server LMFAO

Did you read the entire post?

My site is on a dedicated server we host about 160 people, I am not editing SQL restrctions as a whole on the server, to just limiting to one account as I could make a simple script that stops page refreshing to fast

This inserts a row per IP on the table based upon time, hence too many connections, page refreshes, would be limited by the script itself.

This is a proven method with Nuke sites, and is not subject to any injection lol your acting Like I havent done my homework on the matter in which I have

Your reply was sensless in the state of what you were saying, this script was launched this morning, has reduced bandwidth usage on that site, and has obvious stopped faster page refreshes.

Appreciate all comments from a non descriptive standpoint lol

Link to comment
Share on other sites

Guest Anonymous

Re: Stop Auto Refreshers and multi IP logins

 

Um because of the Obvious scenario of the site sitting or not sitting on a dedicated server LMFAO

You don't need to be on a dedicated server - you just need some grant privileges - See the MySQL documentation.

 

My site is on a dedicated server we host about 160 people, I am not editing SQL restrictions as a whole on the server, to just limiting to one account as I could make a simple script that stops page refreshing to fast

Again, by reading the MySQL documentation you would see that multiple connections with different restrictions can be implemented.

 

This inserts a row per IP on the table based upon time, hence too many connections, page refreshes, would be limited by the script itself.

Your IP detection system is badly flawed - Sitting being a rotating proxy (like a good % of AOL users) will negate this, plus, REMOTE_ADDR is seldom accurate at the best of times even with static IP addresses.

 

This is a proven method with Nuke sites, and is not subject to any injection lol your acting Like I havent done my homework on the matter in which I have

No, you may well have done your homework, I'm pointing out the flaws in the concept and the source as supplied.

So lets look at your code a little closer then.

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

So every page hit, regardless is whether the code has finished executing, makes two database calls (which, by the way could be replaced with a rather more elegant single query).

Nope, sorry. I for one would never use this system or recommend that anybody consider it. Whilst it may stop *some* refreshing, it will in turn put a greater strain on the database engine - which becomes susceptible to basic DoS attacks.

Link to comment
Share on other sites

Re: Stop Auto Refreshers and multi IP logins

 

Your IP detection system is badly flawed - Sitting being a rotating proxy (like a good % of AOL users) will negate this, plus, REMOTE_ADDR is seldom accurate at the best of times even with static IP addresses.

HHHMMMMMMMM Cause statistically just about 12.51% of active connections are dial up and even a lower number of these users are AOL

Its no wonder that novice programmers on a PHP/LEVEL dont post on your forums as everything is ridiculed by inhabitants lol, instead of trying to help said poster improve thier basis, you attack the coding within.

It obvious if you look at the coding its intended purpose, Nuke antidoss was written to stop HTTP Proxies from attacking a SQL database on a server from refreshing pages at a fast amount, we go back to my first post that it was a simple script altered to work with this to serve its purpose, which was not to prevent dos attacks, but block multiple IP strings, and page refreshers such as one built into firefox. Altering databases and permissions (as I have read tons of posts on this forum) is not within your normal "novice" capabilities, as they would not know the first thing about setting said permissions to reflect this type of change that this script provides.

Once again based upon the script of how SQL Flooders work

 

So every page hit, regardless is whether the code has finished executing, makes two database calls (which, by the way could be replaced with a rather more elegant single query).

2 database cells without releasing a time frame of exectution (also notated within the script) was the point

You are referencing to something completely different then its intended purpose with this line

 

Nope, sorry. I for one would never use this system or recommend that anybody consider it. Whilst it may stop *some* refreshing, it will in turn put a greater strain on the database engine - which becomes susceptible to basic DoS attacks.

Its obivious you would not use the script, wasnt intended for people with that type of background in SQL.

I have since altered the script when used to block "Basic Dos Attacks" to ban via htaccess to relieve strain upon a database.

Did I forget to mention dont run this script if the server you are sitting on is a Commodore 64? LOL The major majority of the hosts (that are worth hosting with) are running servers on shared hosting environments, are that of at least Dual Core Setups. This script has been passed by me to others suffering attacks on "Wide Open" servers (Wont mention hosting names), keeping the account from being SQL flooded as easily, they might still be able to hit the SQL, but would greatly hinder thier chances of using "Page Refreshing " flooders to do so (are you tired of hearing "Its intended purpose")

We are a hosting company that bought the game from a user that didnt know anything about any PHP/SQL Functions and simply gave up, let the site go down hill, ect. We are learning more and more about how people cheat and how to stop such actions. Not to mention we have more then our fair share of server exploits/dos attacks, morons with nothing better to do, ect. Beings this said when I mention I have done my homework, this is not in the Fashion of saying I googled "How do I stop dos attacks" lol, we have limited such privs. in SQL as have mentioned, which caused other issues in the game such as errors that noobs thinking the server was down, or not responding correctly, this is a "Visual" warning to them of why the server is acting the way it is based on their actions.

I dont know what intentions of forum moderators to this site are, but intentions of "Simple Fixes" to a problem that effects everyone that has a game of this nature, in relation to "Another" user suggesting that you eat a bowl of cheerios every morning for weeks on end, reading MYSQL database documentation, instead of taking what you know, applying it, and testing, is a sad cry from the truth of I dont know everything, im not posting of forums claiming too, im sure this other user can be taught tips and tricks, but one thing you dont see me doing is basing a sole decision of a script on a basis of "I wouldnt use it cause I Know this" rather then why dont you change this, or ignoring what the scripts sole purpose is designed to do.

Signed

The "Noob" lol

Link to comment
Share on other sites

Guest Anonymous

Re: Stop Auto Refreshers and multi IP logins

Firstly I do not intend to ridicule the inhabitants, rather to open their eyes to some of the facilities, skills and capabilities required by any half-decent site owner.

Secondly, SQL anti-flood protection does not work by making calls to the database itself. A lot of people may assume they know a lot about security and prevention of attacks, however my experience as a security consultant shows this not to be true. It takes a lot of time and effort to develop the techniques required to protect any machine properly.

Any yes, having the ability to issue GRANT statements is often beyond the normal site owner I agree, however to secure a system well, those facilities should be available. I have never nor ever will purchase any hosting without control at that level.

I run a variety of machines - mostly pretty powerful boxes, however I do have the odd Commodore 64 - Okay, I lie, but a Pentium 75 has got to close ;). I have the same security in place on all boxes.

With regard to CE's position on posting fixes, fine, I will provide suitable code where deemed necessary, however in this case the solution is far from simple. Sessions *could* be used, however that may imply an expensive file-system hit, Cookies again *could* be used, however there are some interesting little issues with this. Shared memory is another option, although to date, I've not seen anyone outside of my peers attempt this.

Your initial statement is the one that I take a (lightweight) issue with:

 

I decided to take a SQL flood preventer designed for PHP Nuke and convert it to use with MC Codes

This script does not prevent SQL flood attacks, and in fact may increase database load.

I don't want to write other peoples programs from, however I will suggest avenues of research. This is I believe more in keeping with CE's current aims. Your skills may well be above that of the average CE user, and for that I am grateful, however as someone with extensive knowledge of security at all levels, I believe it is my duty to point out possible problems with code as presented.

Perhaps people will be interested in this, I hope so. It's about time the basic systems were protected better than they are out of the box.

Let the users decide...

Link to comment
Share on other sites

Re: Stop Auto Refreshers and multi IP logins

All based upon one line to be a "Lightweight"

 

I decided to take a SQL flood preventer designed for PHP Nuke and convert it to use with MC Codes

So let me rephrase it to be "forum Correct"

 

I decided to take a "Supposed" SQL flood preventer designed for PHP Nuke and convert it to use with MC Codes

I understand your points and agree entirely except for that nature of coming to this decision as a "lightweight" because of using partial amounts of scripting to hinder attacks such as this, which is in its proposal could be associated that you have never had an attack of the same nature performed on any site in which you are directly in "Administaration of security on" who knows.

Mosts renowned hosts will only limit 50 concurrent mysql connections per 10,000 th of a second per account associated with that server in the first place, but I do agree "Let the users decide"

Cant please everyone

Link to comment
Share on other sites

Re: Stop Auto Refreshers and multi IP logins

[me=Spudinski]takes a few hours to read all that text[/me]

I'm with half of what Nyna said, and going half with what misterme said.

Using the built-in features that MySQL supplies to prevent a SQL flood is useful, but once the restriction kicks in, in takes a long time for other visitors of your website to be able to view your pages.

But we could rule out unavailable with most good website systems, they *should* have a feature to detect whether SQL is offline, and handle visitor's accordingly.

Even then, when an error handler is setup and etc, all your data is still stored in the database, so unless you have a static website with html documents all over, you will be faced with a major lack of content, and your website will have to suffer.

To use PHP at this point is a rather good replacement, that wouldn't cause so much sufferance to your website or visitors.

The only bad part of using PHP to handle the requests and process it, is that its slow because most people will use SQL to prevent a SQL flood.

I'm sure you get my point here, I would suggest getting a mod/lib for apache, or write one yourself, that will use plain text files to store the IP addresses(also making use of ranges), and just letting apache deny and ban the request if it is detected that there is a dos/ddos attack taking place.

No need for SQL, but apache will still have to suffer from the amount of requests, but it will block them, so the "sending response" proccess of a dos is bypassed(I think).

Link to comment
Share on other sites

Guest Anonymous

Re: Stop Auto Refreshers and multi IP logins

 

I'm sure you get my point here, I would suggest getting a mod/lib for apache, or write one yourself, that will use plain text files to store the IP addresses(also making use of ranges), and just letting apache deny and ban the request if it is detected that there is a dos/ddos attack taking place.

So, instead of thrashing a database with requests, you propose to thrash the file-system which is seldom setup to handle true high-volume multi-user, queued single-thread I/O... No thanks spud.

However you have raised an interesting point here... There are multiple solutions to this problem, I just wonder if anyone can see the ideal scenario which protects the database, the file system, the web server and *still* permits the user access to the site. (Of course this particular system is not for the faint hearted or those on cheap/free hosting plans)

Link to comment
Share on other sites

  • 3 weeks later...

Re: Stop Auto Refreshers and multi IP logins

I know I'm a complete noob when it comes to this. But!

Maybe combining these systems? Obviously a fair amount of rewriting will be needed.

Spread it out over the files and database, linking them up where needed. That way the server has the same amount to do but doesn't find it as hard? (I know what I mean, do you? :P)

While doing that, you could call from Apache (I wouldn't know as I don't know how Apache works) to check these and then relay it back to wherever needed (Most likely the database).

Once these checks are done, either allow the user access, or don't.

Seems simple when said, don't know how to go about coding that so don't you dare ask me! :D

Link to comment
Share on other sites

Re: Stop Auto Refreshers and multi IP logins

The best method I have come across so var:

Replacing echo and print functions, with something that keeps all the data in a array/variable, and displaying it later.

Also having a function, that makes additions to navigation links, and inserting it into sessions as well as the output later on.

Example:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

A bit lengthy for simple usage, but on games it should be very usefully.

Stops refreshing of pages for one.

Link to comment
Share on other sites

Re: Stop Auto Refreshers and multi IP logins

I have in the past created a table on a users account to log the time of the last action they performed.

If it was within 1-2 seconds that they are performing another action it asks them to slow down.

This is mainly because they end up using auto refreshers to perform actions and or go click happy on buttons causing the mysql to lock up and wait for the que to clear before it can unlock.

Now this is not the most advanced type of solution for this. And I do not recommend it on a small box or without having high level access to server and system changes.

This was performed on a box that has 8 cores and about 12 GB memory. its a monster yes. but the site on average has about 200+ people online at a time with about 30+ query's from each user being passed over the mysql via the script.

 

There are good points from both of you in this thread. Its just a matter of will your box handle it? Putting hardware to solve a speed problem is not always a good thing. Performance first starts application side. make sure your code is setup with performance and accuracy in mind. Then it becomes a mysql structure (is it built properly for executing the data as best, and fast as possible.?) then the back end server tweaks we spoke of. there are many things to take into consideration here.

The Box I mentioned earlier that client rather toss hardware at speeding his site up. Rather then having me tweak the script to perform better. This is a short term money saver for him. But in the long run will end up running out of options.

Same site tweaked would run on a box 1/3 the size without having to even think about upgrading for a few years .

 

TJ

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...