April 30, 2025 - 13:56
Netopsiyon Online Logo
Protecting Against DDoS and Brute Force Attacks with PHP Image
PHP

Protecting Against DDoS and Brute Force Attacks with PHP

Comments

When not properly protected, web applications become vulnerable to attacks such as DDoS (Distributed Denial of Service) and Brute Force. To prevent DDoS attacks in PHP applications, methods like rate limiting, reCAPTCHA, and Cloudflare can be used. Against brute force, password policies, login attempt restrictions, and IP blocking mechanisms should be implemented. These security measures help protect your web applications against malicious attacks.

1. What Are DDoS and Brute Force Attacks?

1.1. DDoS (Distributed Denial of Service) Attack

DDoS attacks aim to exhaust server resources and crash services by sending a flood of fake requests.

Purpose:

  • ✅ Crash the server.
  • ✅ Prevent users from accessing the service.
  • ✅ Consume bandwidth and cause slowdowns.

1.2. Brute Force Attack

Brute force attacks attempt to guess a user's password using automated trial-and-error methods.

Purpose:

  • ✅ Gain unauthorized access to user accounts.
  • ✅ Access admin panels.
  • ✅ Steal API keys.

2. Preventing DDoS Attacks in PHP

To mitigate DDoS attacks, implement the following security mechanisms:

2.1. IP-Based Rate Limiting

Limiting the number of requests from a single IP within a time window can help reduce DDoS risk.

PHP 
session_start();
$ip = $_SERVER['REMOTE_ADDR'];
$time_limit = 60; // max requests within 60 seconds
$max_requests = 100;

if (!isset($_SESSION['request_count'][$ip])) {
    $_SESSION['request_count'][$ip] = ['count' => 1, 'start_time' => time()];
} else {
    $_SESSION['request_count'][$ip]['count']++;
    if ($_SESSION['request_count'][$ip]['count'] > $max_requests && (time() - $_SESSION['request_count'][$ip]['start_time']) < $time_limit) {
        http_response_code(429);
        die(json_encode(['error' => 'Too many requests, please try again later.']));
    }
}

This blocks IPs that make over 100 requests in one minute.

2.2. Using reCAPTCHA

reCAPTCHA helps prevent bots and automated attacks.

HTML 

<form action="login.php" method="POST">
    <div class="g-recaptcha"></div>
    <button type="submit">Login</button>
</form>

Server-side verification:

PHP 
$recaptcha_secret = 'your-secret-key';
$response = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret=' . $recaptcha_secret . '&response=' . $_POST['g-recaptcha-response']);
$result = json_decode($response);
if (!$result->success) {
    die('reCAPTCHA verification failed.');
}

This prevents bots from submitting login forms.

2.3. Use Cloudflare or WAF

Cloudflare and other Web Application Firewalls (WAF) automatically filter and block DDoS traffic.

3. Preventing Brute Force Attacks in PHP

To protect login forms from brute force attacks, apply the following techniques:

3.1. Limit Failed Login Attempts

Track failed login attempts from the same IP and lock out after a limit is reached.

PHP 
session_start();
$ip = $_SERVER['REMOTE_ADDR'];
$max_attempts = 5;
$lockout_time = 900; // 15 minutes

if (!isset($_SESSION['login_attempts'][$ip])) {
    $_SESSION['login_attempts'][$ip] = ['count' => 0, 'last_attempt' => time()];
}

if ($_SESSION['login_attempts'][$ip]['count'] >= $max_attempts && (time() - $_SESSION['login_attempts'][$ip]['last_attempt']) < $lockout_time) {
    die('Too many failed attempts. Please try again in 15 minutes.');
}

if (isset($_POST['password'])) {
    $password = $_POST['password'];
    $stored_password_hash = '$2y$10$hash'; // Example hashed password

    if (password_verify($password, $stored_password_hash)) {
        $_SESSION['login_attempts'][$ip]['count'] = 0;
        echo 'Login successful';
    } else {
        $_SESSION['login_attempts'][$ip]['count']++;
        $_SESSION['login_attempts'][$ip]['last_attempt'] = time();
        die('Incorrect password!');
    }
}

This locks users for 15 minutes after 5 failed login attempts.

3.2. Enforce Strong Passwords

Weak passwords are easily cracked. Use a regex to enforce strong password policies:

PHP 
if (!preg_match('/^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*[!@#$%^&*]).{8,}$/', $_POST['password'])) {
    die('Password must be at least 8 characters long and include uppercase, lowercase, digit, and special character.');
}

This ensures passwords are strong and complex.

4. Security Testing

DDoS Test: Simulate high traffic and check if rate limiting works.

  • Brute Force Test: Attempt repeated logins and check if lockout is triggered.
  • Password Policy Test: Test weak passwords and verify rejection.
  • reCAPTCHA Test: Ensure bots cannot bypass the CAPTCHA challenge.

Share: Facebook X LinkedIn WhatsApp
Previous Post
Sending Emails with PHP (Using PHPMailer)
Next Post
Modern Web Development Tools and Technologies

Related Articles

Reusable PHP Functions for Various Projects Image
Reusable PHP Functions for Various Projects
0 Comments
Secure Encryption and Data Protection Techniques with PHP Image
Secure Encryption and Data Protection Techniques with PHP
0 Comments
Database Security with PHP Image
Database Security with PHP
0 Comments

Comments ()

No comments yet. Be the first to comment!

Leave a Comment

Sponsors
Sponsor 1 Sponsor 2 Sponsor 2
Apps
Google Play Huawei AppGallery