Protection against DDOS attacks - ShieldPHP

Web-site Security System against DDoS and Brute Force Attacks

System Description
Our security system is a comprehensive solution for protecting websites from various types of attacks and suspicious activity. The system operates on multiple levels and provides reliable protection with minimal impact on performance.

Main Features

1. Intelligent Activity Monitoring
- Real-time request frequency tracking
- Analysis of behavioral patterns of users and bots
- Detection of suspicious activity with minimal server load
- Support for both IPv4 and IPv6 addresses

2. Progressive Blocking System
- Temporary blocking with self-unblocking capability
- Gradual increase in blocking time for repeated violations
- Multi-level blocking through various mechanisms:
◦ Database
◦ Web server (Apache .htaccess)
◦ Nginx (ip.conf)
◦ Firewall (iptables/ip6tables)

3. Convenient Unblocking System
- Self-unblocking capability through reCAPTCHA
- Automatic redirection to the original page after unblocking
- Protection against automated attempts to bypass the unblocking system

4. Administrative Interface
- Real-time monitoring of blocked IP addresses
- Statistics on violations and blocks
- Manual IP unblocking capability
- Management of whitelist exceptions
- View history of requests from suspicious IPs

5. Whitelist System
- Ability to exclude IP addresses from checks
- Support for IP ranges in CIDR format
- Protection of critical infrastructure

How It Works

Monitoring: The system constantly analyzes incoming requests for suspicious activity.

Detection: When anomalies are detected (too high request frequency, suspicious patterns), the system records a potential violation.

Soft Blocking: On the first violation, the IP address is temporarily blocked at the database level, providing the ability to unblock through reCAPTCHA verification.

Hard Blocking: With repeated violations or particularly aggressive activity, multi-level blocking is applied at all available levels with a gradual increase in blocking time.

Self-Cleaning: The system automatically cleans outdated data and optimizes its operation without administrator intervention.

Advantages

Minimal Server Load: Optimized code using file cache for quick checks

Flexible Configuration: Ability to enable/disable various blocking mechanisms

Protection Against False Positives: Intelligent analysis algorithms and self-unblocking capability

Transparency for Users: Clear blocking messages and simple unblocking mechanism

Multi-Level Protection: Comprehensive application of various blocking methods for maximum effectiveness

The system provides reliable protection against DDoS attacks, brute force hacking attempts, vulnerability scanning, and other types of malicious activity, while maintaining site accessibility for regular users.

Conclusion

The security system works correctly on all PHP versions from 5.6 to 8.3. The code contains numerous checks and adaptations to ensure compatibility:

- Uses only basic language constructs available in all versions
- Has conditional logic for different PHP versions
- Avoids using new functions and syntax
- Checks for the presence of constants and capabilities before using them

This development approach ensures wide compatibility with different PHP versions, making the system suitable for use on various hosting environments and servers, including those that may run on both legacy and the latest PHP versions.

Advantages of Redis Support for Website Security System

What is Redis and why is it needed?
Redis is a high-performance "key-value" data store that operates primarily in RAM. Integrating Redis with the website security system provides significant advantages compared to using only traditional MySQL/MariaDB databases.

Key Benefits of Redis for Protection Against DDoS and Other Attacks

1. Ultra-high Request Processing Speed
- Up to 100 times faster request processing compared to traditional databases
- System response time is reduced from hundreds of milliseconds to just a few milliseconds
- Instant verification of IP addresses in blacklists

2. Resistance to High Loads
- Ability to process tens of thousands of requests per second
- Stable operation even during high-intensity DDoS attacks
- Significantly fewer performance drops during peak loads

3. Reduced Database Load
- Caching of the most frequent requests
- Offloading MySQL/MariaDB from frequent read/write operations
- Prevention of main database overload

4. Improved Administration Panel Performance
- Instant loading of blocked IP lists
- Accelerated access to security statistics and logs
- Faster work with large datasets

5. Fault Tolerance and Automatic Switching
- When Redis is unavailable, the system automatically switches to MySQL
- Dual level of protection against possible failures
- Uninterrupted operation of the security system

6. Technical Advantages for Administrators
- Optimized data structures for working with IP addresses
- Support for complex operations with minimal delays
- Enhanced real-time monitoring capabilities
- Quick addition and removal of IP addresses from blacklists/whitelists

7. Server Resource Savings
- Less processor load during intensive attacks
- Reduced disk I/O usage
- More efficient use of system resources

Practical Results

- Reduction in loading time of administrative pages with large datasets by 80-95%
- Support for up to 5 times more simultaneous visitors with the same load
- Reliable protection even during intensive DDoS attacks

Redis is especially effective for high-traffic websites and for those who regularly face attack attempts. Combining Redis with a traditional database provides the best balance between speed, reliability, and functionality.

Development Partnership

This security system is the result of fruitful collaboration between the MurKir Security development team and artificial intelligence experts. The creation process used advanced attack analysis methods, machine learning to detect abnormal behavioral patterns, and modern approaches to multi-level protection.

Intelligent Optimization: By combining development expertise with AI analysis capabilities, we have significantly improved the accuracy of potential threat detection and reduced the number of false positives.

Continuous Improvement: The system is regularly updated based on analysis of new attack types and user feedback. We continue to work together on expanding functionality and adapting to new information security challenges.

The combination of human experience and AI capabilities in the development of the security system has created a solution that effectively protects web resources while remaining convenient and accessible to users of different levels of technical preparation.

Analysis of DDoS Attack Protection System
General System Description
The presented files constitute a comprehensive system for protection against DDoS attacks and suspicious activity for websites. The system is designed with performance and scalability in mind, supporting both Redis (for high-load scenarios) and MariaDB, and includes backup file storage mechanisms.
The system performs the following key functions:

Request monitoring - tracking the frequency and nature of requests from each IP address
Progressive blocking - increasing blocking time for repeated violations
Multi-level protection - blocking at the web server, firewall, and database levels
IP whitelist - excluding trusted IPs from security checks
Unblocking system - ability to unblock through reCAPTCHA
Admin panel - management of blocked IPs and activity monitoring

• Automatic cleanup - removal of outdated records and database optimization
  

System Components
1. security_monitor.php
The core of the security system, using the LightSecurityMonitor class. This file:

Tracks request frequency from each IP
Detects suspicious activity
Applies blocks through various mechanisms
Has a built-in throttling mechanism for limiting requests
Detects "honeypot" attacks (attempts to access non-existent admin resources)
Verifies legitimacy of search bots

• Performs consistency checks of User-Agent and request timings
  

2. admin.php
Administrative panel for system management, which allows:

Viewing and managing blocked IP addresses
Seeing block statistics
Managing IP whitelist
Analyzing suspicious requests
Controlling request frequency from IP addresses
Enabling/disabling reverse DNS requests

• Cleaning duplicate iptables rules
  

3. recaptcha_unlock.php
A page for visitors whose IP addresses have been blocked. Allows users to unblock themselves by passing a reCAPTCHA verification. Has protection against abuse:

Tracks frequency of unblocking attempts
Applies "hard blocking" when exceeding limits
Returns to the original page after unblocking
Displays information about the reason and duration of blocking

4. cleanup.php
A script for system maintenance, recommended to run via cron:

Cleans outdated block records
Optimizes database tables
Synchronizes data between Redis and MariaDB
Removes outdated logs
Checks and restores database structure
Synchronizes iptables rules with active blocks

• Exports lists of blocked IPs to text files
  

5. settings.php
Central settings file containing all system parameters:

Database and Redis connection settings
reCAPTCHA keys
Blocking and limitation parameters
Blocking mechanism settings
Automatic hard blocking parameters
Notification and logging settings

• Throttling and verification parameters
  

Blocking Mechanisms
The system supports several blocking levels:

MariaDB/Redis - blocking record in database or Redis
.htaccess - for Apache, adding "Deny from IP" rules
Nginx - blocking through ip.conf file
Iptables/ip6tables - blocking at the firewall level

• External API - possibility of integration with external blocking systems
  

Progressive Blocking System
The system uses increasing blocking intervals for repeat offenders:

First block: 1 hour (3600 seconds)
Second block: 3 hours (10800 seconds)
Third block: 6 hours (21600 seconds)
Fourth block: 12 hours (43200 seconds)
Fifth block: 24 hours (86400 seconds)
Sixth block: 3 days (259200 seconds)

• Seventh and subsequent: 7 days (604800 seconds)
  

Automatic Hard Blocking
The system includes an automatic hard blocking mechanism that activates when a certain threshold of blocked IPs is reached (default - 100). When the threshold is exceeded, the system:

Selects the most active blocked IPs
Applies stricter blocking methods
Sends notification to the administrator
Logs the event for analysis

Attack Detection
The system includes several attack detection methods:

Request frequency - detection of exceeding request limits per second/minute
URL Honeypot - detection of access attempts to URLs characteristic of bots
User-Agent consistency - detection of multiple different UAs from a single IP
Request timing - analysis of dispersion of intervals between requests
Cookie verification - detection of session cookie manipulations
Suspicious activity - general analysis of request patterns

Fault Tolerance
The system is designed with consideration for possible component failures:

Cascading storage mechanisms - Redis → MariaDB → File cache
Connection checking - testing Redis/MariaDB before use
Backup blocking methods - applying available mechanisms when primary ones fail
Error handling - exception catching and problem logging

• Automatic transition to file blocking mode when Redis and DB are unavailable
  

IP Whitelist
The system supports a whitelist of IP addresses that are excluded from security checks. Supported:

Exact matching of IP addresses (IPv4 and IPv6)
CIDR notation for IP ranges

• Synchronization of the whitelist between Redis and file storage
  

Administration Tools
The admin panel offers the following capabilities:

View of current blocks with reasons and time
Block statistics
Whitelist management
History of suspicious requests
Monitoring of request frequency from IP addresses
Manual IP unblocking
Mass unblocking
Cleaning of duplicate iptables rules

• DNS request switching
  

Conclusion
The presented system is a comprehensive solution for protection against DDoS attacks and suspicious activity. It combines several levels of protection, uses a progressive blocking system, and has high fault tolerance. The system is scalable thanks to Redis support and has convenient administration tools.
The system also includes mechanisms for legitimate users, allowing them to unblock themselves through reCAPTCHA, and has a system for detecting and blocking abuse of this capability.

We created this together with the help of Claude AI from Anthropic.

Simple connection to your CMS through - instruction for connecting the file with absolute path.

require_once $_SERVER['DOCUMENT_ROOT'] . '/dos/security_monitor.php';

Protection works on these sites murkir.pp.ua.

Performance analysis of security_monitor.php | Redis vs MySQL
Added Throttling of requests: guide and impact on server.
You can enable it or not - the important thing is that it exists!

Documentation and settings DoS/DDoS Attack Protection System.

Screenshot 2025-04-05 154448.png
Screenshot 2025-04-05 154506.png

https://github.com/Murkirpus/ShieldPHP

Tests needed on high-load projects.
It costs not much, just set it up once and it will work forever!
If you're interested, contact us at murkir@gmail.com.
Feedback.