On Oct 13, 2006, at 2:16 PM, Ryan Barclay wrote:

> A simple question I imagine, but I am wondering how I would combat
> DoS attacks by users holding the REFRESH key on their browsers?
>
> I have reproduced this error on a PHP-MYSQL website and when I hold
> the REFRESH key on for a while, page gen times shoot up
> dramatically and hundreds of processes are created.
>
> Is there a way I can stop this/limit the connections/processes in
> apache conf/php.ini?

Apache.conf ThreadsPerChild?

> What can I do to combat this method of DoS?

How do you consider this a DoS attack? Are you seeing servers
crippled because a user or a couple of users keep hitting the refresh
key? Honestly, it seems extreme. Your server should be able to
handle much higher loads than that, especially when PHP starts
caching pages, etc.. I would start double checking the server
config, etc..

Also, if you're really worried about someone "attacking" a site like
this, you could just take advantage of PHP's auto_prepend to
automatically log the IP and a time stamp of each page request... and
if the last page request is within N seconds of the current request,
you just redirect the user to a page that says something like "server
busy, try again in a moment".

-Ed