SECURITY problem - kill requests SECURITY problem - kill requests
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

SECURITY problem - kill requests

Started by punjab, November 15, 2006, 02:44:43 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

punjab

Today i got DOS attack to server.
27 request peer second to login.php in coppermine gallery totally kill my linux server. System load average gets to 60.

I make experiment.
I go with firefox to coppermine login page and in maximum frequency clicking to refresh button in firefox and server get to load 40 in 30 seconds.

This is not normal. I make this on some other php/mysql pages and nothing happend. Server load stay in low values.
CPG is version is 1.4.9 or 1.4.10

Can anybody with linux, apache, mysql server try this?

Joachim Müller

DDoS attacks are not being performed by someone hammering the reload button of his browser while he's on your page - they are script-driven instead. Your experiment doesn't prove anything.
Coppermine has not been developed with protection against DDoS in mind - you should take precautions against DDoS by implementing server-sided counter-measures like mod_evasive, which basically let's you determine a treshold for requests from a single IP per time period. If an IP address requests more than it is allowed to, the requests are being dropped.