if i'm getting bombed .net program created in c# - bombed in user submitting $_post fields on form in mass quantities... it's contact form.
i'm not sure how mass $_post occurs in .net program or c++ program, have no idea. had idea counter this.
my first idea requires $_session but... $_post bombing program(s) user created handle/accept $_session? don't want find out maybe experience webclient class in c# know if handled $_session's or whatever user using. considering using $_session['submitted'] = $count; , part of $count++;
if($_session['submitted'] > 5) { //display captcha or block site } else { $count++; } if user's program didn't handle $_session there anyway possible can disable site them? can't attack contact form?
bypassing session lockout trivial malicious user. delete session cookie after each post , brand new clean session limit reset.
the secure way block user such start throttling ip address. limit number of connection attempts per minute , won't able submit many requests per minute. now, if can hop between hosts you've got bigger problem, , should @ moving form elsewhere 404 (until notice it's moved).
the downside if they're using common proxy or somethign aol proxies everything, you'd blocking other legitimate users well.
Comments
Post a Comment