Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

implement IP address rate limiting function

  • Loading branch information...
ericoc committed Dec 28, 2014
1 parent 9a81400 commit 26d5026505965cf3ed60bc9c7f62696b07062042
Showing with 47 additions and 5 deletions.
  1. +11 −0 README.md
  2. +24 −0 functions.php
  3. +3 −2 gawsh.sql
  4. +1 −1 go.php
  5. +8 −2 index.php
@@ -16,6 +16,17 @@ My design skills suck, but it works. Thanks to [Jico](https://github.com/jico) f

### This section describes most of the main/index page of http://gaw.sh/

Check that the IP address adding the URL has not hit the rate limit defined within the isRude function in functions.php:

// Create an interval => limit array that defines rudeness for an IP address
$rudeness = array(1 => 1, 60 => 5, 3600 => 10, 86400 => 30);

To prevent abuse or spam, per the above array - a single IP address cannot add more than:
* 1 URL per second
* 5 URLs per minute (60 seconds)
* 10 URLs per hour (3,600 seconds)
* 30 URLs per day (86,400 seconds)

Check that URL actually exists and does not return 404
* http://php.net/manual/en/book.curl.php

@@ -1,5 +1,29 @@
<?php
// Create a function to determine if a specific IP addresses has made too many URLs within a short/recent time span by querying the database
function isRude($link, $ip) {
// Create an interval => limit array that defines rudeness for an IP address
$rudeness = array(1 => 1, 60 => 5, 3600 => 10, 86400 => 30);
foreach ($rudeness as $interval => $limit) {
$sql = "SELECT COUNT(*) FROM `urls` WHERE `ip` = :ip AND `time` > DATE_SUB(NOW(), INTERVAL $interval SECOND) AND `status` = '1'";
$checkrude = $link->prepare($sql);
$checkrude->bindParam(':ip', $ip);
$checkrude->execute();
$urlcount = $checkrude->fetchColumn();
// Return true stopping the addition of a URL if the IP address is rude and has hit or exceeded the limit for an interval
if ($urlcount >= $limit) {
return TRUE;
}
}
// All good if the IP address has not hit any of the limits and they are not rude
return FALSE;
}
// Create a function to check if a URL is valid/online phishing website according to PhishTank
function isPT ($url, $ptkey) {
@@ -20,8 +20,9 @@ INSERT INTO `urls` (`id`, `alias`, `url`, `ip`, `time`, `status`) VALUES
(3, '403', '', '127.0.0.1', '1970-01-01 00:00:01', '-1'),
(4, '404', '', '127.0.0.1', '1970-01-01 00:00:01', '-1'),
(5, '410', '', '127.0.0.1', '1970-01-01 00:00:01', '-1'),
(6, '500', '', '127.0.0.1', '1970-01-01 00:00:01', '-1');
(7, '503', '', '127.0.0.1', '1970-01-01 00:00:01', '-1');
(6, '429', '', '127.0.0.1', '1970-01-01 00:00:01', '-1'),
(7, '500', '', '127.0.0.1', '1970-01-01 00:00:01', '-1');
(8, '503', '', '127.0.0.1', '1970-01-01 00:00:01', '-1');

-- `visits` table
CREATE TABLE IF NOT EXISTS `visits` (
2 go.php
@@ -71,7 +71,7 @@ function showError ($error) {
} else {
// Create an array of possible HTTP error codes and their meanings
$errors = array('401' => 'Not Authorized', '403' => 'Forbidden', '404' => 'Not Found', '410' => 'Gone', '500' => 'Internal Server Error', '503' => 'Service Unavailable');
$errors = array('401' => 'Not Authorized', '403' => 'Forbidden', '404' => 'Not Found', '410' => 'Gone', '429' => 'Too Many Requests', '500' => 'Internal Server Error', '503' => 'Service Unavailable');
// Just show an error immediately for forced errors and stop further execution
if (array_key_exists($_GET['x'], $errors)) {
@@ -17,6 +17,7 @@
// Require configuration/settings
require('admin/config.php'); // MySQL credentials and user variables
require('functions.php'); // Blacklist/URL functions
// Trim submitted URL, throw "http://" on the front if it does not start with either http:// or https://
$url = trim($_POST['url']);
@@ -42,9 +43,8 @@
if (isset($badalias)) {
$error = 'Invalid alias';
// Require functions with blacklist/URL checks and run the URL through said checks
// Run blacklist/URL checks
} else {
require('functions.php');
$error = checkURL($url);
}
@@ -61,6 +61,12 @@
header('Location: /503', TRUE, 302);
}
// Bail if the IP address is being rude and has added too many URLs recently
if (isRude($link, $ip)) {
$link = null;
header('Location: /429', TRUE, 302);
}
// Try to add the URL to the database right now if we were given an alias that has a possibility of working
if ( (isset($alias)) && (!empty($alias)) ) {

0 comments on commit 26d5026

Please sign in to comment.
You can’t perform that action at this time.