As of now, DDoS (distributed denial-of-service) attacks are the primary security concern for all PHP based websites and CMS. The PHP based DDoS attacks are evolving itself as a global threat to cybersecurity.
PHP DDoS attacks have been rapidly increasing over the past five years. Globally, the attack grew 25% in 2015 and is expected to increase 2.6 fold to 17 million by 2020. Eventually, hackers are using DDoS attacks as the most prominent lethal weapon of modern time.
DDoS attacks are mostly carried through botnets. Botnets are a set of networks of compromised computers that are used to flood the server with false requests. Most of the time, the botnets are hosted from china (over 4.5 million hosts in 2018), 2.7 million hosts from china, and 1.5 million hosts from Russia.
Therefore, conceding the above concerns, in this article, we shall cover some deep insights into PHP DDoS attacks along with the security measures to prevent them in the near future.
Also read: PHP SQL injection [ Fixed ]
What are the PHP DDoS attacks?
You must be familiar with the DoS (denial of service) attack. In this attack, a single computer system is used to send thousands of web requests at a time, which slows down the function of the web servers. Similarly, the DDoS attack uses several botnets that floods the server with illegitimate web requests. The main objective of such attacks is to block legitimate users from accessing the website.In adjacent to that those attack which alters the PHP script and manipulates the source code of a vulnerable directory on a website is called PHP based DDoS attack.
A common mistake is to write code that appears in URLs, as mentioned below:
- www.example.com/blog.php?doc=aboutus.php
- www.example.com/blog.php?doc=products.php
- www.example.com/blog.php?doc=legal.php
The code for “blog.php” will read in the $_GET[‘doc’] variable. Later the user input traverses through include() the required file into the script. It’s a basic methodology followed for every web requests, but consider what if an intruder modified the URL to this:
www.example.com/blog.php?doc=blog.php
So when a user visits the above link, blog.php will load then include()article.php, then again blog.php, and so on. The iteration won’t stop until your server reaches the maximum execution attempts for a script. By this time, your web server will be dealing with a large number of unwanted requests that would consume a lot more CPU usage. Eventually, it will result in crashing down your server.
PHP DDoS attack protection
PHP DDoS protection: Web Application Firewall
The use of WAF( web application firewall) would definitely provide you an extra edge to your security. A good firewall comprises of security appliance setup that is regularly maintained by qualified security experts. Also, it is beneficial to manage the allocated bandwidth provided for each open web service.
It becomes more lenient to block the web requests using a firewall, rather than using .htaccess. In this way, the web requests never get directly to apache. Further, the requests are dropped from the server on the basis of the IP address rule.
The following command mentioned below, when running as root, will use iptables rules to filter out illegitimate packets from a particular IP address.
/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
PHP DDoS protection: .htaccess
It is a directory level configuration file that is used to lower the load caused by DDoS attacks. htaccess blocks the unwanted active connection, forbidding it to call your PHP scripts.
Let’s take an example of a request made on a login script. Whenever you make a request on an apache server, it will call out for the PHP script, which further matches out the authentic users in its database.
Request <---> Apache <---> PHP <---> MySQL (maybe)
If you block and IP (say 192.168.1.1) your htaccess will have an extra line like this:
Deny from 192.168.1.1
The request goes the same as described below:
Request <---> Apache <-x-> [Blocked]
The following info adds up a bonus of preventing brute-force attacks on the login form. All you need to do is to blacklist a particular IP address, exceeding the maximum login (maybe 20 times in a minute) attempts.
PHP DDoS protection: cPanel & WHM
You can quickly ban a single host IP address with the help of CPanel’s IP deny manager. But it won’t protect us from SYN-flood and botnets based DDoS attacks. So to counter the problem, we use the Mod-evasive Apache module. It communicates with the IP tables to restrict the unauthentic traffic.
You can simply install “Mod_evasive” from the Apache Modules section of WHM’s (Web Host Manager) EasyApache 4 interface. Therefore, To access the module, login to WHM and go to Home >> Software >> EasyApache 4.
PHP DDoS protection: Manual blocking
Are you seeking for an instant solution for an undergoing DDoS attack? If yes, you may opt for a manual blocking method that immediately helps you to mitigate the attack. Our security engineers at ASTRA helps you to determine the number of active connections with the help of the following command.
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
This command helps you to figure out the IP addresses that connect through TCP-IP or ”UDP” method.
Conclusion
DDoS attacks become more lethal if ignored. Fortunately, there are efficient methods available to mitigate DDoS attacks. Today, we’ve learned some of the primary preventive measures that would help you to counter the attack in the near future.
Naman Rastogi
