P
P
PlatinumArcade2011-03-07 13:08:39
PHP
PlatinumArcade, 2011-03-07 13:08:39

DDoS - how to reduce the load on php?

Task


I recently asked about configuring cache on php . It was necessary to reduce the load on MySQL, tk. there is a DDoS on the site (40k connections at a time).

Hastily made this cache. When you first visit a page with ID = 1500, it takes it from the database, throws a copy of the page on the hard drive under the name 1500.html. There is a check at the top in the code - if the 1500.html file exists, it does. The load on MySQL has really dropped, but now there are a bunch of php-cgi processes with a large percentage of load in the top. Accordingly, the site lies. PS Filters at the OS level cannot fight off DDoS. Some kind of tricky ddos.

include('cache/ID.html');
die();




Question


As I understand it, php parses index.php and the load comes from here. Maybe I somehow placed the check for the existence of the 1500.html file in the wrong place?

What is the best way to make sure that if there is a page cache on the hard drive, there is a minimum load on php?

Answer the question

In order to leave comments, you need to log in

10 answer(s)
H
homm, 2011-03-07
@homm

As always, nginx comes to the rescue:
sysoev.ru/nginx/docs/http/ngx_http_core_module.html#try_files

H
homm, 2011-03-07
@homm

1) Do you have nginx installed, or does Apache give statics?
2) include() interprets your cache/ID.html, so it needs to be replaced with readfile .
3) If nginx is installed like that, readfile is also not ice, use the X-Accel-Redirect header to pass nginx a link to the file that it will need to give.
But judging by the fact that you have CGI, nginx is still not worth it. So the first thing to do was to transfer php to a normal protocol. If possible - FastCGI, if not, on Apache+mod_php.

K
kozyabozya, 2011-03-07
@kozyabozya

why do you care about attendance of topics under DDoS?

A
Ajex, 2011-03-07
@Ajex

A fairly simple and effective and universal method - in the html code, set any cookie with JavaScript. In index.php at the very beginning you add a banal code,
if (!isset($_COOKIE['mycookie'])) {exit;}
as an option, in addition to exit, you can add the function of adding the ip to the firewall blacklist (you can temporarily through ipset), in case someone did not come through the cookie.
True, you need to slightly alter the structure of the site so that the first time the user goes to the html page that will set the cookie, and only then follow the link to php.
If this is not possible, then something like this: in this case, all new users will see the link “To enter the site, follow the link”, and after clicking it, they will receive a cookie and enter the site.
if (!isset($_COOKIE['mycookie']))
{
setcookie('mycookie','some_cookie_text',time()+60*60*24*300,"/",".адрессайта.домен");
echo 'Для входа на сайт перейдите по ссылке';
exit;
}

R
Renat Ibragimov, 2011-03-09
@MpaK999

The first thing is to take care to get off php-cgi - it's terrible!
Apache + mod_php is easy to set up and performance will increase.
Secondly, put eAccelerator, it will increase the speed of php from 2-10 times, since it will not be necessary to constantly rebuild into the opcode.
Well, DDoS must be closed with a firewall, or at least iptables by looking at the ranges of ip addresses

V
Vladimir Chernyshev, 2011-03-07
@VolCh

Even in the last question I wanted to tell you that since php is called in principle, then this is no longer static. But I could not immediately come up with a record of attendance for each topic, except through periodic parsing of logs.

B
Bkmz, 2011-03-07
@Bkmz

No wonder I wrote today: http://bkmz.org/425/zashtita-ot-ddos-iptables

R
Riateche, 2011-03-07
@Riateche

"include('cache/ID.html');" - stupid idea, normal reading of the file and its output will be better. Better yet, keep that page in memory rather than in a file.

V
Vyacheslav Plisko, 2011-03-08
@AmdY

it's all leftist.
you have two problems:
1. ddos ​​- not programmers in php are struggling with it, but admins in the same iptables, they should know this better than us.
2. caching-to-file optimization is a good idea, but its main idea is not to raise apache + php. if this heavy bunch has already risen, then the optimization will be relatively matched. you need one rule in rewrite
ReqriteCond /var/www/.../%{REQUEST_FILENAME} !-f RewriteRule ^(.*).html create_cache.php
?id=$1
if available, it will be given simply, easily and very quickly to plain html

I
Ilya Kantor, 2011-03-09
@iliakan

Please, take a look at the report about Varnish + Redis + JavaScript in Novosibirsk at Devpoint 2. I told how we defeated such a problem with small resources, maybe it will help ...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question