RandomLove
Sat 31st Aug '02, 5:49am
Hi,
Many people -including me- are facing a real problem with hackers/criminals flooding their board with reptitive requests. There are certain programs out there that will keep requesting the page 5-10 (even more if he has enough b/w) times per second for so many hours. If only two or three people with a fast DSL connection can get togather and target a forum they can easly bring it to it's knees regardless how powerful is the server.
Take my server as an example (specs here http://www.vbulletin.com/forum/showthread.php?s=&threadid=53016), a guy single-handed was able to take it down for 10 hours because he had a powerful cable connection.
Now, someone asked for a protection from such attacks (check the disucssion here http://www.vbulletin.com/forum/showthread.php?s=&threadid=22619). I think we reached a good level of discussion to warrant a new feature into vB3 :).
Actually, JamesUS mentioned that protection against flooding is implemented. I just want to make sure things are going to be implemented in 'a useful' manner.
Ok, here we go:
1- Admin must have the option to choose which level of IP-tracking to be done. There are "three types" of IPs available to the PHP-coder passed by Apache:
$REMOTE_ADDR
$HTTP_CLIENT_IP
$HTTP_X_FORWARDED_FOR
In VB2.2.x, only $REMOTE_ADDR is tracked. This is not good since many people will hide behind a proxy (or even two chained togather!). Therefore, checking the other two variables is very important to get the real IP of the attacker. I think the most important variable here is $HTTP_X_FORWARDED_FOR.
2- Now, we are able to get the real IP of the attacker, a mechanism should kick in once a cerain IP requests more than a page within a cerain time limit (1 second for example). Admin should have the freedom to set the "Max Reqeusts Allowed" for a certain IP and "Minimum Time Window" for these requests. (ex 5 req per 10 seconds, or 1 request per 2 seconds)
3- An Admin should be able also to set Unblock options. He/she should be able set the block to "Lasts for ever", or "Lasts for a certain number of minutes".
That's all folks ;).
Take care,
R.L.
Many people -including me- are facing a real problem with hackers/criminals flooding their board with reptitive requests. There are certain programs out there that will keep requesting the page 5-10 (even more if he has enough b/w) times per second for so many hours. If only two or three people with a fast DSL connection can get togather and target a forum they can easly bring it to it's knees regardless how powerful is the server.
Take my server as an example (specs here http://www.vbulletin.com/forum/showthread.php?s=&threadid=53016), a guy single-handed was able to take it down for 10 hours because he had a powerful cable connection.
Now, someone asked for a protection from such attacks (check the disucssion here http://www.vbulletin.com/forum/showthread.php?s=&threadid=22619). I think we reached a good level of discussion to warrant a new feature into vB3 :).
Actually, JamesUS mentioned that protection against flooding is implemented. I just want to make sure things are going to be implemented in 'a useful' manner.
Ok, here we go:
1- Admin must have the option to choose which level of IP-tracking to be done. There are "three types" of IPs available to the PHP-coder passed by Apache:
$REMOTE_ADDR
$HTTP_CLIENT_IP
$HTTP_X_FORWARDED_FOR
In VB2.2.x, only $REMOTE_ADDR is tracked. This is not good since many people will hide behind a proxy (or even two chained togather!). Therefore, checking the other two variables is very important to get the real IP of the attacker. I think the most important variable here is $HTTP_X_FORWARDED_FOR.
2- Now, we are able to get the real IP of the attacker, a mechanism should kick in once a cerain IP requests more than a page within a cerain time limit (1 second for example). Admin should have the freedom to set the "Max Reqeusts Allowed" for a certain IP and "Minimum Time Window" for these requests. (ex 5 req per 10 seconds, or 1 request per 2 seconds)
3- An Admin should be able also to set Unblock options. He/she should be able set the block to "Lasts for ever", or "Lasts for a certain number of minutes".
That's all folks ;).
Take care,
R.L.