Design: thwarting "click bombing"

cyberconte has asked for the wisdom of the Perl Monks concerning the following question:

I am almost finished with a project i am working on - a search engine project written 98% in perl. Previous versions of this software however has fallen victim to "click bombing", or, in other words, clicking many, many times. A maximum load limitator would prevent any more "clicks" after the system load reached beyond a predefined point. However it also blocked legitimate users, and thus could be used as a crude DOS attack. Since this new rewrite also can use a real database, like MySQL, instead of just flat files, this now becomes a stronger issue than ever - it would be possible for someone to lock the machine for hours or more if they try hard enough.

My question is "what are the possible solutions"? I have many, many solutions swirling in my head, and i've gotten even more by interested parties, but they're all theories. I'm looking for something that has acutally been used, and proven to work without adding too much overhead.

Any suggestions?

Comment on Design: thwarting "click bombing"

Replies are listed 'Best First'.
Re: Design: thwarting "click bombing" by valdez (Monsignor) on Aug 06, 2002 at 19:04 UTC
If you can afford using mod_perl, a commonly suggested solution over m_p mailing list is a module capable of blocking greedy clients. A great example of such module can be found inside the famous Eagle Book, and (lucky you ;-) ) also in a sample chapter online here. A little summary: A trick that some mod_perl developers have used to catch devious robots is to block access to things that act like robots by requesting URLs at a rate faster than even the twitchiest of humans can click a mouse. The strategy is to record the time of the initial access by the remote agent, and to count the number of requests it makes over a period of time. If it exceeds the speed limit, it gets locked out. Apache::SpeedLimit (listing 6.4) shows one way to write such a module. I think there are many modules listed on CPAN that can do something similar. Ciao, Valerio	[reply]
•Re: Design: thwarting "click bombing" by merlyn (Sage) on Aug 06, 2002 at 22:01 UTC
I demonstrate a simple CPU-consumption-based throttler in one of my columns. You could certainly adapt that. For a simpler solution, just use a "highlander" style solution, which serializes the actual CGI invocation, which makes sense unless you also have multiple CPUs for your database. -- Randal L. Schwartz, Perl hacker	[reply]
Re: Design: thwarting by MrNobo1024 (Hermit) on Aug 06, 2002 at 18:56 UTC
Can't you just use the load limiter, but instead of blocking everyone, only blocking the IP of the DOS'er? --MrNobo1024 `s]]HrLfbfe\|EbBibmv]e\|s}w}ciZx^RYhL}e^print`	[reply]
Re: Design: thwarting "click bombing" by fglock (Vicar) on Aug 06, 2002 at 19:22 UTC
I think you could give Apache's mod_proxy a try. With a properly configured proxy, the "click bombing" would just return the same document, without calling the CGI. I'm not sure if it would work with POST method, and you might have problems if you use authentication or sessions.	[reply]