Using PHP and MySQL (or other means), how should I detect an abusive visitor?

Question

What I would like to do is implement a system that would track how many times a visitor has requested a page from my website and then based on some sort of threshold, block the visitor if I deem them abusive (i.e.: attempting a DoS).

My question lies in the implementation of such a system...

What would be a good way to track the activity of a given visitor? I assume that I'll have to store off their IP since it's the only information I have for them. Also, should I just store off how many times they have requested pages from my site and then set some arbitrary threshold?

Thanks.

Answer 1

Storing the IP is a fragile approach -- many universities and other large suppliers use NAT (network address translation) so all requests (maybe from many thousands of actual users) might look like they're coming from the same IP. I strongly suggest you use a cookie instead, maybe with a fall-back to IP only if the cookie just isn't coming back.

Once you have identified a repeat visitor, thresholds on max visits per day or the like seem fine. Or, if you identify a cookie-less visitor from the same IP as many other cookie-less visitors, similarly you may want to "throttle" (rate-limit) them.

Answer 2

You could store their IP and User Agent string as their identifier, however it will fail in somewhat common circumstances like large intranets. You could use a cookie as an identifier, and log their last access to a page... then you could implement logic like

if (dateDiff($lastAccessedTime, time()) < 2) {
    // possibly a abusive user ... requesting pages too rapidly!
}

If they don't have cookies enabled - well that's up to you.

Answer 3

use IP address, user agent string, cookie - prolong time that is needed to get the page displayed when page is often accessed to that particular combination of IP, user agent and cookie. you can do:

sleep(n)

where n increases exponentially when page is requested many times in a row...