tags:

views:

58

answers:

3
+3  Q: 

Tracking and testing for abusive clients in PHP

Now there is a subject that could be taken many ways. Hopefully I will be able to de-obfuscate it as I describe my problem and start getting suggestions.

I am developing a site that will be replacing an existing one. Historically one of the problems we have had is spider bots coming in and sucking down all out content. Now we don't mind that the content is being downloaded. In fact we are glad for it, however some of the bulk downloaders and download accelerators have proved problematic with the current site.

What I am looking for is something to sit at the beginning of my php that runs pretty much first. It takes a fingerprint of the page request (ip, referrer, request uri, cookies, session id, whatever) and passes it to ...something. That something then compares the fingerprint to fingerprints in the last second or three. It then returns a message based on some pre-configured threshold what to do with the request.

Some thresholds are:

  • The user has requested > x pages in the last 0.n seconds.
  • The user has requested the same page in < 0.n seconds.
  • The user has submitted the identical data to a form in the last n seconds.

So you see I am looking at some pretty tight windows. Is detecting such things even feasible? Would I be able to do it with some sort of file or db data source? Whatever I use to store the fingerprints between page loads is going to experience a lot of churn since most data will be held for a second or two. Should I just have something that parses the apache logs to check against the threshold? Should I be looking for some sort of external daemon that holds the data for a second or two in memory that I can call from the script? Is there something in apache that can handle this, and do I just need to punt to the server guy to handle this?

Assuming that this is something I can do in PHP or some called external daemon how do I respond to behavior out of the thresholds? My gut says HTTP responses, something like 408 or 503, but my gut is often wrong. What can I do to tell the client to back off a bit? Some sort of "Woah there" page?

+3  A: 

If you don't have to have a software solution, why not program your router/firewall to handle this for you? Filtering out DOS attacks (or their equivalent) is part of what it's there for.

Russell Steen  2009-10-30 21:03:10
+2  A: 

Try mod_evasive

Azeem.Butt  2009-10-30 21:08:50
+2  A: 

Try PEAR::HTTP_Floodcontrol and mod_security and fail2ban.

powtac  2009-10-30 21:16:37
Also, http://www.bad-behavior.ioerror.us/
Frank Farmer  2009-10-30 21:54:18

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases