| Author |
Message |
Doulos
Life Cycles Becoming CPU Cycles
Joined: Jun 06, 2005
Posts: 732
|
 Posted:
Fri Nov 23, 2007 2:50 pm |
|
I am not understanding the use of this filter. I am getting a lot of users blocked when they are trying to access on page or another - often index.php.
Here is an example:
| Quote: | Date & Time: 2007-11-22 21:00:38 CST GMT -0600
Blocked IP: 67.193.96.14
User ID: Mojie (403)
Reason: Abuse-Flood
--------------------
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Query String: www.clanfga.com/index.php
Get String: www.clanfga.com/index.php
Post String: www.clanfga.com/index.php
Forwarded For: none
Client IP: none
Remote Address: 67.193.96.14
Remote Port: 4950
Request Method: GET |
1. What are users doing to get blocked by this filter?
2. Would lowering or raising the page or flood delay time cause more or fewer to be blocked? (page=5 sec, flood=4 sec)
3. What is the actual purpose of the flood filter, anyway? |
| |
|
|
|
warren-the-ape
Worker
Joined: Nov 19, 2007
Posts: 196
Location: Netherlands
|
| Posted:
Fri Nov 23, 2007 3:02 pm |
|
| Ezekiel wrote: |
1. What are users doing to get blocked by this filter?
2. Would lowering or raising the page or flood delay time cause more or fewer to be blocked? (page=5 sec, flood=4 sec)
3. What is the actual purpose of the flood filter, anyway? |
1- Probably refreshing a page or clickin on a link on the page
2- Dont know if im correct on this (please correct me if im wrong), im not using NukeSentinel.. yet 
I know that phpbb already uses it to prevent flooding the search, meaning that there is a specific waiting time before the server accepts a new search request.
My guess would be to lower it, although im not sure about the difference between 'page' & 'flood'.
3- Probably releaving stress (bandwith) on the server, I guess. Do a Google search on DDOS attack if you want the extreme version |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Fri Nov 23, 2007 4:12 pm |
|
Look in your tracked IP table for the offending IP. Then look at the date and time stamp and see what the interval is in-between the time stamps to see how fast the IP is requesting pages. That should tell you whether or not it's an IP issue or an NS setting.
The lower the flood setting, the more frequently you allow hits by the same IP. In other words by having a high setting like you do you are only allowing a page request every 4 seconds by the same IP and if the same IP requests more than 1 page w/i 4 seconds it gets banned.
The Page Delay is used for the IP 2 Country database update pages. This is the number of seconds until the next page in the set will automatically load. It has nothing to do with flood control.
BTW, if you look at the Help in the NS Admin panel (the question mark) it does explain this  |
| |
|
|
|
|
Doulos
|
| Posted:
Fri Nov 23, 2007 10:02 pm |
|
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
| Posted:
Sat Nov 24, 2007 12:05 am |
|
I was also always under the impression that the flood blocker wasn't something you really wanted turned on unless you were under a flood attack. |
_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module |
|
|
|
|
Raven
|
| Posted:
Sat Nov 24, 2007 1:20 am |
|
| Gremmie wrote: | | I was also always under the impression that the flood blocker wasn't something you really wanted turned on unless you were under a flood attack. |
That's kind of like getting flood insurance after the flood  (pun intended)
Once you are under a flood (dos attack) you won't be able to turn it on because you are usually locked out of your site. |
| |
|
|
|
|
Gremmie
|
| Posted:
Sat Nov 24, 2007 1:06 pm |
|
But even then it was my understanding such an attack is better stopped at the server level, not at the site level. And really, there isn't much you can do about some forms of DOS attacks.
I'm glad sentinel offers the protection, but it is one of those filters that you have to weigh the benefits versus the risks of using it. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Nov 24, 2007 1:51 pm |
|
Gremmie,
That is correct but in your original comment that's not what you said .
You said "I was also always under the impression that the flood blocker wasn't something you really wanted turned on unless you were under a flood attack". If you are under attack you will be unable to turn it on. I'm not sure that's what you meant to say and that's why I replied the way I did.
And my original reply to the question was just stating the answers to the questions that were raised, not necessarily advising one way or another. |
| |
|
|
|
|
Doulos
|
| Posted:
Sat Nov 24, 2007 2:49 pm |
|
Almost 100% of our flood blocks are legitimate users. However, a few have been anonymous trying to access index.php 30 or 40 time in one minute. |
| |
|
|
|
|
Gremmie
|
| Posted:
Sat Nov 24, 2007 5:38 pm |
|
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
