It hasn't actually been attempted. However, if a couple of a users were
to hold the refresh, the page generation times would go up ridiculously
and clients would be waiting over 20sec for pages. As mentioned, it's a
very heavy php-mysql script with lots of queries.

Ryan

--
Ryan Barclay

RBFTP Networks Ltd.

DDI: +44 (0)870 490 1870
WWW: http://www.rbftpnetworks.com
BBS: http://forums.rbftpnetworks.com



Ed Lazor wrote:
>
> On Oct 13, 2006, at 2:16 PM, Ryan Barclay wrote:
>
>> A simple question I imagine, but I am wondering how I would combat
>> DoS attacks by users holding the REFRESH key on their browsers?
>>
>> I have reproduced this error on a PHP-MYSQL website and when I hold
>> the REFRESH key on for a while, page gen times shoot up dramatically
>> and hundreds of processes are created.
>>
>> Is there a way I can stop this/limit the connections/processes in
>> apache conf/php.ini?
>
> Apache.conf ThreadsPerChild?
>
>> What can I do to combat this method of DoS?
>
> How do you consider this a DoS attack? Are you seeing servers
> crippled because a user or a couple of users keep hitting the refresh
> key? Honestly, it seems extreme. Your server should be able to
> handle much higher loads than that, especially when PHP starts caching
> pages, etc.. I would start double checking the server config, etc..
>
> Also, if you're really worried about someone "attacking" a site like
> this, you could just take advantage of PHP's auto_prepend to
> automatically log the IP and a time stamp of each page request... and
> if the last page request is within N seconds of the current request,
> you just redirect the user to a page that says something like "server
> busy, try again in a moment".
>
> -Ed
>
>