Blocking Proxies

[zbeng]

Since a lot of people proxy DDoS, it's useful to protect your site against it.

You have three options if you have total control over the server.

1.) Detect proxies and block them on firewall/mod_security level

2.) Detect and block them via .htaccess (a hastle)

3.) Detect them via PHP and block them via .htaccess

Since most people use shared hosting, number 3 is the best option unless you feel like manually banning 600 ips from /

So, just put this litle code at the top of all your main PHP files, and it will consume little to no resources.

if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
die("Don't use proxies, please.");
} 

Break down:

HTTP_X_FORWARDED_FOR: When a proxy connects to a site, it sends Forwaded-For: YourIPHere, unless it's an elite proxy. People that don't use proxies have no http_x_forwaded_for so that's a dead easy way to spot them.

HTTP_USER_AGENT: This script checks and make sure the user DOES send a user agent. Most DDoSing programs don't have a User-Agent attribute where as all internet browsers do =) Another easy spot on.

HTTP_VIA: HTTP_VIA pretty much sends what kind of proxy server it's using, ie squid/squidX.

Info:

Most DDoSing programs hit http://site.com, not http://site.com/page.php. When the program connects to site.com/, the index file is loaded. index.php in most forums.

So, if you put that code in index.php, the first line of it, then you'll barely feel any effects of proxy DDoSing.

You can modify that script to add on to the .htaccess to deny the attacking IP

ie:

$fp = fopen(".htaccess", "a"); /*append the file*/

$write = fputs($fp, "deny from " .$_SERVER['REMOTE_ADDR'] . "\n");

fclose($fp);

Open the file for appendage, write "deny from xxx.xxx.xxx.xxx, add a new line, close/save file.