Important Need Help

IMP_TWI

Alright, So I use to do a lot of ddos-testing and found the best way that sites are crashed in order to give people an idea of what they need to fix. Up until now I've never tried patching it which is why I need suggestions/help in order to learn how to stop it.

I need to know if there's a way to stop a page from being refreshed through f5, as well as blocking a page to be refreshed in general (IE firefox has a feature that lets you refresh every few seconds, I need to know if that can be stopped/patched so it doesn't work)

Any help would be appreciated.

dagon

no one preforms a dos attack by pressing f5 on their browser, that's crazy talk

IMP_TWI

Not crazy talk, It depends on the power of your server. No one in their right mind would waste time using F5 as it would take well over 50 refreshes, but it IS possible and people have used it. F5+Enter is all that they'd need to press after pressing an option that forces the server to send information to the DB.

dagon

IMP_TWI;10896155 wrote:
Not crazy talk, It depends on the power of your server. No one in their right mind would waste time using F5 as it would take well over 50 refreshes, but it IS possible and people have used it. F5+Enter is all that they'd need to press after pressing an option that forces the server to send information to the DB.

Happy to be proved wrong, please cite evidence for your claim.

dagon

duplicate, sorry about that

bradgrafelman

If your server crashes/does anything wrong simply by you pressing F5 and refreshing the page, then your server must be a Pentium I computer running on a 28.8 kbps dial-up modem. Try upgrading. 🙂

That's why Apache/IIS have tools to simulate multiple simultaneous connections (e.g. 100+) to stress-test your server.

IMP_TWI

The server I'm working on doesn't crash by a simple refresh. But ANY server will crash if you send a few hundred querys to the server every second. And that's the whole point of this post, To see if there's a way to stop people from sending the same query multiple times which would break the chain of them sending the same query over and over on refresh. Maybe instead of being dickheads about it you should just give your thoughts on the matter instead of working around the issue. I've crashed a lot of sites to make it better, I know how simple it is and am trying to find a way to stop it. If you don't want to contribute, then simply don't post in reply to this thread.

IMP_TWI

dagon maybe you should quit being a (mean person) and help to explain to me the best solution to stopping refresh of querys instead of jumping on here to start trouble. As far as the server goes, it doesn't crash after a simple refresh, but any server will go down if someone can run a few hundred refreshes of the same query per second.

bradmasterx

DDOS attacks ii use Net Tools For, So Figure out how it can be stopped.

Piranha

It seems to me that you have to define what you try to protect yourself from:

People that think it takes to long to load the page and presses F5.
People that presses F5 repeatedly.
People that, as you say yourself, use F5 + Enter.
People that have a tool to send multiple requests at (almost) the same time.
Several computers that send requests to your page at the same time.
Big ddos attacks with hundreds or thousands of computers.

The way of protection differs depending on what you try to avoid.

By the way, I suggest that you read up a bit on the definition of DoS and DDoS attacks. It seems to me that you don't really understand the difference.

IMP_TWI

The reason I suggested F5+Enter was just as an example of one way someone can send multiple queries of the same kind with little effort. What I'm trying to stop is people from being able to refresh the same page (If it sends any type of query) and redirect them if they try to refresh the page (IE: You may not refresh this page, you will be redirected)

bradgrafelman

So they can only view the page once? What if something happens and their browser doesn't download all of the content/images? They're out of luck?

I suppose if you really wanted it to be a one-time only chance to view the page, you could use session variables to track whether a given page has been loaded (or what the last "query" was) and check that to detect a page refresh. If they use some sort of prefetching software however (e.g. Google Web Accelerator) then they may not even get to see the page at all, however.

djjjozsi

user get into your page, and run a query
save the time() in session as last_query

when the user press the refresh button, if the last_time is in 5 seconds lets increase a counter +1,
if this counter is bigger than 5, lets inform that He/She
must be waiting till the next query is possible, after filling an image activation code.

Hello,
jjozsi.

Piranha

IMP_TWI;10897004 wrote:
The reason I suggested F5+Enter was just as an example of one way someone can send multiple queries of the same kind with little effort. What I'm trying to stop is people from being able to refresh the same page (If it sends any type of query) and redirect them if they try to refresh the page (IE: You may not refresh this page, you will be redirected)

This have got nothing at all to do with DDoS attacks, or even DoS attacks. To me it seems that the real problem is that you don't want duplicate data in the database. My answer below assumes that this is correct.

Probably the best solution is to use a session variable, as bradgrafelman suggests. But you have to think about that it is possible to have more than one tab open with the same session, making it important to think about your design. One way to get around it is to use the same as this forum, a security token that is unique that you send as a hidden field into the form and then read again when you receive an answer. You then have the possibility to know if it was sent already or not.

By the way, next time please describe your problem in a clear way to start with instead of trying to use descriptions that you clearly don't know anything about. A good start is to learn how to ask questions the smart way.

As far as the server goes, it doesn't crash after a simple refresh, but any server will go down if someone can run a few hundred refreshes of the same query per second.

Not at all. We have stress tested servers with more than 10.000 queries per second without problems at work. With database access. And that are pretty small servers.