Having problems with getting user's IP address with PHP.

So basically I made a custom DDoS protection for my linux server.

It works like this: php website gathers visitor IP address when he does a certain action (in this case registers an account). All visitor ips are stored in ips.txt securely on my website ftp.

Then my linux server has iptables rules setup in a way where it blocks all traffic except my website traffic.

On linux server I have a cron job which pulls whitelisted ips every 5 minutes from my php website FTP and then whitelists all IP's in iptables.

That way only visitor IP's (of those who registered account in my website) are being whitelisted in my linux server.

In case of a DDoS attack, all traffic is dropped except for the whitelisted visitor's IP's gathered from website ips.txt

Now I'm having a problem. My PHP script is not accurate. Some visitors in my website are not being whitelisted because they might have a different ipv4 ip address than what is given from php website. So basically I am looking for some php script/library that would gather ALL ipv4 ips from a visitor, then whitelist them.

Also regarding ipv6, my iptables are all default (which means that all ipv6 visitor traffic is allowed) so problem is not with visitors that have ipv6. Problem is with my script not getting ALL ipv4 ip addresses assigned to the user.

Can you recommend me some php library for that? So far I've used https://github.com/marufhasan1/... but apparently it's not accurate enough.

  • 2
    Sidenote: Does this require some kind of privacy statement? 🤔
  • 7
    I fail to see how this could possibly work at all, given that most visitors have dynamic IPs, not static ones.

    @alexbrooklyn Under GDPR, it does because the legislation has made the eternal "wah wah it isn't" discussion moot by defining the IP as personal user data.

    However, this case has a legitimate reason to do so, so just explaining what's being done with them and for how long they'll be retained should be OK.
  • 2
    @Fast-Nop it would work. If their ip changes all they need to do is go to my website.
  • 4
    @zemaitis Ah so it's two websites, and you're basically doing a user friendly variation of port knocking?
  • 2
    @Fast-Nop no.

    It's a gaming project. There is a website runing on a shared web hosting and there is a gameserver running on linux vps. Problem is that ddosers ddos my gameserver so players that download my game from website cant access my gameserver. So what I am doing now is blocking all ip traffic on my linux server and allowing only legit whitelisted ips gathered from website. However problem is that I fail to gather all ipv4 ip addresses.
  • 3
    @zemaitis OK but the basic knock-knock strategy is the same.

    One big issue could be mobile or cable networks where the end devices don't get a public IP and the network operator's gateway does NAT. Since one NAT router would only allow for 65k TCP connections at the same time for all users combined, they likely have several of these NAT routers.

    The thing is that the knocking may go over a different NAT router than the second access to the gaming server, in which case you would see different client IPs.
  • 1
    @Fast-Nop thats the problem probably. So not sure how to get actual ip address through a website so I could whitelist properly. Now Im whitelisting wrong ip address for like half of my players. So half of them can connect and another half can not connect.
  • 1
    There's a nice tool called ipset, look it up. You can basically make lists of all ips (and ip ranges) that you want to block, and you can just throw a rule to look up the lists and reject traffic accordingly.
    You can also use it in combination with fail2ban (you just have to decide what rules you want exactly).
    Much better to figure out those two tools than rewriting everything from stratch (in php, nontheless).

    Also, that's not really DDoS protection: if I flood your 1Gbit bandwidth cap with 10Gbit of incoming traffic, you're still gonna be unavailable for the other legitimate users (or you'll take a long time to respond).
  • 1
    @zemaitis You cannot get them, because the "actual" one is something like 10.x.y.z or 192.168.x.y which is never visible and cannot be whitelisted on your gameserver.
    Additionally, the public visible ones (= the address of the NAT gateway) change regularly especially on mobile networks.
  • 0
    I'd just go with an out the box solution like cloudflare, its tried and tested, there are also plenty of other providers if you aren't a fan of cloudflare.

    Focus on what you want to be focusing on, leave security and networking to the security and networking people.

    Does your hosting provider offer any protection?
  • 2
    please stop offering cloudflare guys. as far as I know its good only for websites. all cloudflare allows me is to hide a website ip address behind a dns.

    here I have a gameserver running on two separate tcp ports. players are from all around europe, cloudflare is in usa. its avery very bad idea to use cloudflare as a proxy as it would increase players latency
  • 2
    @zemaitis ok I need to correct myself. cloudflare offers tcp protection with a feature called cloudflare spectrum, but to get that feature you need to have enterprise grade plan which prices start at least 300usd.
  • 0
    @zemaitis not just for websites, they offer gaming specific services: https://www.cloudflare.com/gaming/ and while I haven't used their services for games, I have for a number of applications and sites and they offer services internationally. Servers aren't exclusively located in the US.
  • 0
    @zemaitis how do they DOS you? By sending actual fake game traffic, or just TCP spamming? In the second case fail2ban should work i think, and if not i'd go from Whitelist to blacklist and just block everyone who sent you say >1k packets without creating a valid game session.
  • 0
    @zemaitis another idea would be to make your game do the port knocking automatically and periodically to account for ip changes
  • 2
    @alexanderholman they dont even show pricing for gaming protections and again they are offering enterprise grade stuff. At that point they will charge few hundred bucks and if paying is the only option then there are better solutions out there
Add Comment