I have been experimenting with:
ob_implicit_flush(true);
ob_start();
$timelimit=10;
while ($timelimit>=0){
$timelimit=$timelimit-1;
echo "1";
sleep(1);
flush();
ob_flush();
}
ob_end_flush();
php.ini:
output_buffering = Off
I expect to see "1" added every second until the script completes execution. Instead I see everything only after the script has ended.
What am I doing wrong here?
It was working the whole time. I was calling the php via ajax not realizing that the ajax was the cuplrit
if ((this.readyState == 4 || this.readyState == 3) && this.status == 200) {
<?php
if (!isset($_SESSION)) {
session_start();
}
// anti flood protection
if($_SESSION['last_session_request'] > time() - 2){
// users will be redirected to this page if it makes requests faster than 2 seconds
header("location: http://www.example.com/403.html");
exit;
}
$_SESSION['last_session_request'] = time();
?>
I've already tested this script as you higher the second It Will keep redirecting to http://www.example.com/403.html without any reason.
Can anyone tell me why?
Let's think about this logically for a second...
The attacker's request is already being sent to the web-server and through to the PHP script.
The bottle-neck which causes failure in DDoS attacks is the web-server.
The idea behind a DDoS attack is just that - to cause a denial of service, in which the website/server is unable to process any new requests. So in escense, this approach is irrational.
You need to go up the ladder of request handling.
If you have a server to your disposal, it's easier. You could simply implement a rate limiting rule on the kernel firewall/iptables.
But assuming you do not have access to that, Apache is still at your disposal - although not as efficient.
Implementing a rule within .htaccess is a better solution, but still not perfect.
But depending on the DDoS attack, there's no real solution at the developer's disposal to block it.
I'm using a good anti-flood script that des not need cookies (perfect for webservices). It's not perfect against advanced DDOS attacks but it's enough for preventing beginners attacks and automatic multiple requests.
For using it, before it's needed to create "flood" folder with a "ctrl" file inside and a "lock" subfolder. Also needed to be setted with correct permissions.
Already tested by me.
define("SCRIPT_ROOT", dirname(__FILE__));
// number of allowed page requests for the user
define("CONTROL_MAX_REQUESTS", 3);
// time interval to start counting page requests (seconds)
define("CONTROL_REQ_TIMEOUT", 2);
// seconds to punish the user who has exceeded in doing requests
define("CONTROL_BAN_TIME", 5);
// writable directory to keep script data
define("SCRIPT_TMP_DIR", SCRIPT_ROOT."/flood");
// you don't need to edit below this line
define("USER_IP", $_SERVER["REMOTE_ADDR"]);
define("CONTROL_DB", SCRIPT_TMP_DIR."/ctrl");
define("CONTROL_LOCK_DIR", SCRIPT_TMP_DIR."/lock");
define("CONTROL_LOCK_FILE", CONTROL_LOCK_DIR."/".md5(USER_IP));
#mkdir(CONTROL_LOCK_DIR);
#mkdir(SCRIPT_TMP_DIR);
if (file_exists(CONTROL_LOCK_FILE)) {
if (time()-filemtime(CONTROL_LOCK_FILE) > CONTROL_BAN_TIME) {
// this user has complete his punishment
unlink(CONTROL_LOCK_FILE);
} else {
// too many requests
echo "<h1>DENIED</h1>";
echo "Please try later.";
touch(CONTROL_LOCK_FILE);
die;
}
}
function antiflood_countaccess() {
// counting requests and last access time
$control = Array();
if (file_exists(CONTROL_DB)) {
$fh = fopen(CONTROL_DB, "r");
$control = array_merge($control, unserialize(fread($fh, filesize(CONTROL_DB))));
fclose($fh);
}
if (isset($control[USER_IP])) {
if (time()-$control[USER_IP]["t"] < CONTROL_REQ_TIMEOUT) {
$control[USER_IP]["c"]++;
} else {
$control[USER_IP]["c"] = 1;
}
} else {
$control[USER_IP]["c"] = 1;
}
$control[USER_IP]["t"] = time();
if ($control[USER_IP]["c"] >= CONTROL_MAX_REQUESTS) {
// this user did too many requests within a very short period of time
$fh = fopen(CONTROL_LOCK_FILE, "w");
fwrite($fh, USER_IP);
fclose($fh);
}
// writing updated control table
$fh = fopen(CONTROL_DB, "w");
fwrite($fh, serialize($control));
fclose($fh);
}
Taken from here: https://github.com/damog/planetalinux/blob/master/www/principal/suscripcion/lib/antiflood.hack.php
just change > to <:
<?php
if (!isset($_SESSION)) {
session_start();
}
// anti flood protection
if($_SESSION['last_session_request'] < time() - 2){
// users will be redirected to this page if it makes requests faster than 2 seconds
header("location: http://www.example.com/403.html");
exit;
}
$_SESSION['last_session_request'] = time();
?>
What spudinksi said still holds true, however here is what your looking for:
<?php
if (!isset($_SESSION)) {
session_start();
}
if($_SESSION['last_session_request'] > (time() - 5)){
if(empty($_SESSION['last_request_count'])){
$_SESSION['last_request_count'] = 1;
}elseif($_SESSION['last_request_count'] < 5){
$_SESSION['last_request_count'] = $_SESSION['last_request_count'] + 1;
}elseif($_SESSION['last_request_count'] >= 5){
header("location: http://www.example.com/403.html");
exit;
}
}else{
$_SESSION['last_request_count'] = 1;
}
$_SESSION['last_session_request'] = time();
?>
For stop DDos add a null route for that ip, like this:
route add -host ???.???.???.??? reject
There is a script called IOSec, which is quite old, but it might help.
This will count page reloads & also save time after 3 seconds ....
if it gives problems or to easy for newbies to bypass then leave comment..
if(empty($_SESSION['AFsys_time']) || $_SESSION['AFsys_time'] == '0') {
$tGoal = time() + 3; // Pluss Seconds
$_SESSION['AFsys_time'] = $tGoal;
}
if(empty($_SESSION['AFsys_pReloads']) || $_SESSION['AFsys_pReloads'] == 0 ) { $_SESSION['AFsys_pReloads'] = 1; } else { $_SESSION['AFsys_pReloads']++; };
if($_SESSION['AFsys_time'] < time()){
$_SESSION['AFsys_time'] = 0; // Session Reset
$_SESSION['AFsys_pReloads'] = 0; // Session Reset
}
if($_SESSION['AFsys_pReloads'] > '5' && $_SESSION['AFsys_time'] > time()){
$_SESSION['AFsys_time'] = 0; // Session Reset
$_SESSION['AFsys_pReloads'] = 0; // Session Reset
header("location: http://www.example.com/403.html");
exit;
}
this code not work for curl looping like this. session will create again on every curl exec;
for ($i=0;$i<999999999999999;$i++){
/**/
$c=curl_init();
curl_setopt($c,CURLOPT_URL,"URL YOU WANT ATTACK");
curl_setopt($c,CURLOPT_DNS_USE_GLOBAL_CACHE,TRUE);//dns
curl_setopt($c,CURLOPT_HEADER,0);//get the header
curl_setopt($c,CURLOPT_CONNECTTIMEOUT ,10);//get the header
curl_setopt($c,CURLOPT_NOBODY,0);//and *only* get the header
curl_setopt($c,CURLOPT_RETURNTRANSFER,1);//get the response as a string from curl_exec(), rather than echoing it
curl_setopt($c,CURLOPT_FRESH_CONNECT,1);//don't use a cached version of the url
curl_setopt($c, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko Firefox/11.0');
curl_setopt($c, CURLOPT_HTTPHEADER, array('Content-type: application/x-www-form-urlencoded;charset=UTF-8' ));
echo "\n $i";
}
Session may be not work, because we haven't session coockie.
I recommend such
$load = sys_getloadavg();
if ($load[0] > 20) {
header('HTTP/1.1 503 Too busy, try again later');
die('Server too busy. Please try again later.');
}
Or you can
shell_exec('/sbin/iptables -I INPUT -j DROP -s ' . $ip);
for ddosing $ip
Something seems wrong with my php script, but I have no idea what it is. The only possible thing that seems to be wrong is something to do with the cache, but I am not sure. Here's my script, I'll tell you what's happened below the code:
<?php
set_time_limit(0);
header('Content-Type:text/event-stream');
$prevmod=$lastmod=filemtime('chattext.txt');
function waitformod(){
global $lastmod;
global $prevmod;
while($prevmod==$lastmod){
usleep(100000);
clearstatcache();
$lastmod=filemtime('chattext.txt');
}
echo 'data:'.file_get_contents('chattext.txt').PHP_EOL.PHP_EOL;
flush();
$prevmod=$lastmod;
}
while(true){
waitformod();
}
?>
This is supposed to be used with the JavaScript EventSource and send the contents of chattext.txt whenever it is modified. The file does not output anything, however. I think it is because of the infinite loop. Is there any way to fix this?
Does something like this work better?
<?php
set_time_limit(0);
header('Content-Type:text/event-stream');
$prevmod = $lastmod = filemtime('chattext.txt');
function waitformod(){
global $lastmod;
global $prevmod;
while($prevmod == $lastmod) {
usleep(100000);
clearstatcache();
$lastmod = filemtime('chattext.txt');
}
echo 'data:'.file_get_contents('chattext.txt').PHP_EOL.PHP_EOL;
flush();
$prevmod = $lastmod;
}
while(1) {
waitformod();
}
Your current code looks like it reads the file, outputs it, waits for it to change, and then terminates.
I was trying to get codeigniter to output text as the script was working but couldn't get it to work. I have search on here and google and seen using ob_end_flush(); and flush(); and also along with adding more bytes so the browser can output. But none of that is working in CI 2.x. If anyone has had luck with this, thanks in advance
I have tried
function test()
{
ob_end_flush();
echo "test1";
ob_start();
sleep(3);
ob_end_flush();
echo "test1";
ob_start();
sleep(3);
ob_end_flush();
echo "test1";
ob_start();
}
With no luck. The script waits 6 seconds then spits everything out at once. I would like it to echo the output to the screen then wait 3 seconds then output the next echo then wait another 3 seconds etc.
I tried this today and didn't worked either. Then I looked at the core's output class and there was a private _display() function. I figured that the output is collected before it's displayed into some variable then at last this function is called. So before my code in the controller method, I added this line:
$this->output->_display("");
and then ran the code. It worked. So your modified function would be like this :
function test()
{
$this->output->_display("");
ob_end_flush();
echo "test1";
ob_start();
sleep(3);
ob_end_flush();
echo "test1";
ob_start();
sleep(3);
ob_end_flush();
echo "test1";
ob_start();
}
The issue you're having with Code Igniter specifically is that there is already an output buffer in effect. Preceding your test with the following snippet will get you out of php-level buffering at least:
// try to bust out of output buffering
while(ob_get_level()) {
ob_end_flush();
}
ob_end_flush();
As noted by #Wesley, this can still be undermined by your server's configuration, but in my current setup I can stream output back after busting out of all output buffers.
check your server api with
echo phpinfo();
if you found your server api
Server API : CGI/FastCGI
in CentOS Add below line in "/etc/httpd/conf.d/fcgid.conf"
OutputBufferSize 0
Restart your Apache server and try below code
ob_start();
for($i = 0; $i < 10; $i ++) {
echo $i;
echo '<br />';
flush();
ob_flush();
sleep(1);
}
Code:
echo "1";
sleep(1);
echo "2";
sleep(1);
echo "3";
What am trying to do is have the script echo "1" in the screen wait for one second then display "2" etc... As is the script waits for 2 seconds then displays all content at one. All i know about this is that it has do to with buffering
Disable output buffering by flushing at the beginning of script, and activate implicit output buffer flushing. This should do it:
ob_implicit_flush(true);
ob_end_flush();
for ($i=0; $i<5; $i++) {
echo $i.'<br>';
sleep(1);
}
Use ob_start(); to catpure the output in combination with ob_flush(); flush(); to send it out to the browser, periodically.
So your example would become:
ob_start();
echo "1";
ob_flush(); flush();
sleep(1);
echo "2";
ob_flush(); flush();
sleep(1);
// ...
I don't think this is the classy way to do something like this. These kind of stuff needs to be done in client side with javascript not server side with php.