Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Denial Of Service Attack Update
The Lounge What is on Your Mind? Denial Of Service Attack Update Post 303036021 by Neo on Wednesday 12th of June 2019 04:48:43 PM
Old 06-12-2019
Denial Of Service Attack Update
Dear All,

We were hit with a denial of service (DOS) attack today beginning around June 12th 2019 @ 01:27:51 PM from an IP address registered to "RACKWEB-NET" in Bulgaria.

I was notified about this around June 12th 2019 @ 03:05 PM and did some log file analysis and discovered how the attack was happening and wrote some code to mitigate against the attack.

I think the site was down for about 1 hour and 19 minutes because of the attack.

The code I wrote will filter against these kinds of DOS attacks in the future.

Thank you for your support,

Neo

EDIT: In addition to the PHP changes, I made some changes to the DB configuration as well to help insure this kind of attack cannot succeed in the future.
These 9 Users Gave Thanks to Neo For This Post:
bakunin drl jim mcnamara MadeInGermany RavinderSingh13 Scrutinizer vgersh99 wisecracker Yudicoy
 

LEARN ABOUT PHP

hash_equals

HASH_EQUALS(3)								 1							    HASH_EQUALS(3)

hash_equals - Timing attack safe string comparison

SYNOPSIS

       bool hash_equals (string  $known_string, string	$user_string)

DESCRIPTION

	Compares two strings using the same time whether they're equal or not.

	This function should be used to mitigate timing attacks; for instance, when testing crypt(3) password hashes.

PARAMETERS

	      o $known_string
		- The string of known length to compare against

	      o $user_string
		- The user-supplied string

RETURN VALUES

	Returns TRUE when the two strings are equal, FALSE otherwise.

ERRORS
/EXCEPTIONS
	Emits an E_WARNING message when either of the supplied parameters is not a string.

EXAMPLES

       Example #1

	       example

	      <?php
	      $expected  = crypt('12345', '$2a$07$usesomesillystringforsalt$');
	      $correct	 = crypt('12345', '$2a$07$usesomesillystringforsalt$');
	      $incorrect = crypt('apple',  '$2a$07$usesomesillystringforsalt$');

	      var_dump(hash_equals($expected, $correct));
	      var_dump(hash_equals($expected, $incorrect));
	      ?>

	      The above example will output:

	      bool(true)
	      bool(false)

NOTES

       Note

	       Both  arguments	must  be of the same length to be compared successfully. When arguments of differing length are supplied, FALSE is
	      returned immediately and the length of the known string may be leaked in case of a timing attack.

       Note

	       It is important to provide the user-supplied string as the second parameter, rather than the first.

PHP Documentation Group 													    HASH_EQUALS(3)
All times are GMT -4. The time now is 09:15 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy