Minimizing DOS attacks (and other security issues)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I have implemented a means to deal with Denial Of Service attacks where a
CGI script might be invoked 10,000 times per second in an attempt to keep
the server busy and cause flooding of emails. Here is the code I used:

  my $lockfile = "lock.txt";
  if (not(-e $lockfile)){    #check for exist
    open (fLock, '>', $lockfile) or HTMLdie ("File error: $!");
    close fLock;
    unlink ($lockfile);
  else {HTMLdie ("Please try again later", "Event Processor Busy");}

I have tested it by opening the following link in two browser windows and
sending the requests within the 10 second time period. The first request is
successful, while the second request returns the Busy message. You may try
it here:

I am using the -T taint checking. I will also add filters for alphanumeric
text for the data as well, although I don't think it is critical in this
instance. Please let me know if this is reasonably secure, and if you see
any major problem with this code. The only problem I can see is if the
script crashes during the sleep and the lock file does not get unlinked. At
least it's fail-safe and I can fix it using FTP. It's not a big deal if
event submission is occasionally delayed a day or so. I'm just trying to fix
a problem where the webmaster only updated events every couple of months or



Site Timeline