Hit limit question

Hi,
Today i saw that i reached 1% of hit limit (50.000 clics) alone on my test website.
1% mean that this limit can be reached by only 100 people ?
So i thought about making my own limit with a session variable that would be 100 clics. Then i would be able to have daily 500 peoples on my web game. (500x100=50000).
But, i can only say him : You can’t play more today. Go back tommorrow.
But i can’t ban him ! So he can continue to refresh my pages if he make a robot or else !
I think that this limit is dangerous because robots can make site down ! And i can’t control that ! Anybody can control that. the only persone that can control the charge is InfiniteFree. Only InfinityFree can ban a people that have reached a limit.
So why this limit is a total of users ? Isn’t it more intelligent to make that limit individualy for individual people instead of having the risk than a bot would reach that limit alone and cut my game for everybody ?
What are my tools, weapons for that ?

Here, help yourself out!

4 Likes

Welcome!
if you have a custom domain, you can set up Cloudflare. Cloudflare will help with reducing the load on the origin server (here) and that will reduce the number of hits (Since Cloudflare will take them instead). If you are interested, I linked an article below.

2 Likes

For starters, a hit is not a click. A single click, or page view, typically generates multiple hits.

Did you also look at how many hits you actually got? The actual hit count is also displayed, not just the percentage, which is a lot more specific.

This is how the internet works. This is why DDoS attacks are a problem. If you send enough (bad) traffic to a site, it will go down.

The only solution is to add more capacity, but capacity costs money.

There is no limit on total users. There is a limit on hits. We set this limit to 50,000 per day. The conclusion that this equals 100 users is entirely you own calculation. We don’t limit accounts to 100 users.

Also, we cannot track “people” because on the server level doesn’t know the concept of people. On the technical level, a web request is stateless, meaning that every request is standalone, and there is no inherent relation into things like “pages”, “sessions” or “people”.

The hit counter just counts these web requests, because that’s what we can measure reliable and non-intrusively. Would you rather have we’d inject mandatory tracking cookies into the browsers of all your visitors and use that to analyze their behavior?

All we care about is that a few bad accounts don’t overload the servers and cause a bad experience for everyone. To this end, we don’t care about the people visiting your website, we care about the load it generates on the server. And if you can reduce the load by generating less hits per visitor, you can have more visitors.

3 Likes

Ok, thank you for your help.
I understand that it will certainly be a problem because Internet is full of bots and trolls. Only the server can counter DDOS, not us. It’s not web developper job, but server one.
So i think if someone really want to be evil, he just have to reload a page with a simple macro script all the day… that’s not fair.
But ok, i’ll continue to use that server and i’ll migrate if i’ve problem with that.

I understand you limit the charge but i think it’s not done in a good way.
If the only solution is to pay, it’s not really free… Or it’s free or get down. And i’m not sure that paying will resolve the problem : It will maybe up the limit but don’t resolve the “charge” problem because if there is an attack, you can’t ban the attacker. It’s a simple rule in the router. Router have anti-DDOS protection… normaly a server must have that protection.

Blocking DDoS attacks doesn’t work like that. There isn’t a “Block DDoS” button on the router you can just press and all attacks are gone. If you knew anything about DDoS attacks: how they work and what damage they can and have caused, you’d know that you can’t block all traffic floods by flicking a switch in the router.

Blocking DDoS attack requires sophisticated filtering (which we have), and just having enough capacity to handle the traffic (which we also try to have). However, traffic detection is complicated and imperfect, and adding more capacity is expensive. And please keep in mind that you’re getting this service for free.

Also, premium hosting has the same issue. Not just our premium hosting: all premium hosting. If someone attacks your site, it will go down. But this also happens on a VPS, a dedicated server or even an entire cluster of servers. Heck, big corporations have been taken down by DDoS attacks, although by then you need a huge group of devices (a botnet) to cause damage. But the concept is the same: overwhelm the target with traffic and it will go down.

Yes, it’s not fair. Yes, it’s “not done in a good way”. DDoS attacks aren’t fair. Internet traffic is “not done in a good way”.

The reality is that bad traffic is also traffic, and handling traffic takes server and network capacity, which all costs money. And we cannot just pay for the traffic one site gets when one site owner makes someone else angry.

2 Likes

Does InfinityFree offer Free CloudFlare CDN?

You can use your custom domain with Cloudflare and Infinityfree, yes.

3 Likes

Hi, i know how DDOS attacks work (i’m a network technician, i learned to configure routers).
DDOS attacks are difficult to counter if it’s massive DDOS attacks : with multiple IP you can sature routers even if you have a protection. But has you said : this type of attacks are rare and concern big websites. Because it need a lots of connections, so an “army” of connections for it to work.
But the hit limit has nothing to do with that. I don’t think that we can call it DDOS but : Flood attack.
It consist to charge a lot of webpages to sature CPU, Bandwitch, RAM of the server and get it down. It’s different, and your hit limit is fighting against that.
InfinityFree is able to count the hit to limit every web developpers to 50000 hits. But actualy if the limit is reached, i think you send a message to the router and say :
block (source: all) (destination : the website that reached 50.000hits limit) during : 24h
The problem is that : source all ! One person have to much power !
The correct solution would be :
block (source: IP of THE guy that reached 5000 hits for example) (dest : the website) during 24h
I mean that only server can doing something against flood, not the web developper because index is a hit and it can be hited 50.000 times easily with a simple script.
And sleep is forbidden in php ! haha why ? People say it’s because it use too much CPU on server. But it was right in 2000’s year but now, the sleep in php work fine and if you authorise it, webdevelopper can make a sleep 3 sec on every hits so it woold impossible to flood !
The other solution is captcha. But captcha are boring for users. Exept Google invisibles captcha but i didn’t try it. I don’t know if it can stop a flood of hits ?

I know that maintening a server cost money. But why is there many free servers ? That’s because today server use a few energy and can be green fully 0$ energy. The cost is in majority on developpement, interface, maintenance. But it’s more and more easy to do it.

Finaly i bought a miniPC, 6 watts with no fan. I’ll use it to have total control but maybe i’ll use InfinityFree has a second website, in secure way, for example if my miniPC crash or if it work no more xD
And if i’m happy with infinityfree, i’ll try to help with money. But for the moment i’ve no.

But all the person has to do is change their IP address. Plus, that will still count as hits, as the server still has to accept and look at the request in order to know the IP.

And the sleep() function keeps a connection open, and if a lot of websites on the same server are using it, the server can become super slow. Since nobody wants a slow website, it was disabled.

3 Likes

So maybe it’s possible to limit the sleep to 10s maybe. 3 seconds is enough to say to flooders : Ok flood me with 3s delay : 3600s = 1h x 24 =approx 28000 haha you can’t make my website down alone, you will need an help !
Yes you can change IP. But it need 5 minutes to reboot your connection so it’s a lot of time and energy.

1 Like

And then there is navigator identifier that you can use to identify IP changing like user agent, screen resolution, version of nav, and many other that gather make an ID.

An what if i use date(‘now’) interval in a while ?

I am not sure what you mean by that. I can change the IP on my computer in less than 30 seconds.

Yes, but all that will take server power, so that will count as a hit. And since it would have to do that to all real visitors as well, you will actually end up burning through hits even faster.

2 Likes

The browser validation system makes it a bit more complicated, but it won’t stop a dedicated attacker.

It sounds like this is a problem that could be solved with IP based rate limiting, but I haven’t seen anyone ever hit such a thing on free hosting, so I’m not sure if such a feature exists, or why it doesn’t.

I’d argue the opposite. We disabled sleep because it makes sites easy to flood.

PHP is a single process programming language. For every request coming in, a separate process is created, and while that request is being processed, the process is alive. Every running process consumes CPU and memory, so more concurrent processes means more server load.

There have been times when the client area was completely inaccessible due to high load. Not because a lot more processing was being done, or because more traffic was coming in, but because the hosting platform had an issue and all API calls were hanging. This caused the number of concurrent processes to shoot up and overwhelm the system.

An attacker can just compensate for it by having more concurrent requests. Or even start the request, and then cancel the request on their end, leaving their system free to send another request while the server is still generating a response.

(Invisible) ReCaptcha only works on forms, not entire sites. But the client area also has it on the login page, primarily to stop brute force attacks, and it’s really effective at that.

Server hardware costs a lot of money. Energy costs money too. The global chip shortage affects the server market too. And the current energy crisis in Europe also affects datacenters.

Sure, staff usually costs a lot more. But server space is most definitely not free either.

That sounds like device fingerprinting. It’s a fairly effective way to track people. But again, we’re not really interested in how many people visit your website, only the load it generates on the servers.

3 Likes

Yes, you’re certainly right. I’m too old for new technologies, i didn’t practice for a while. I discovered a interesting thing : WAF to prevent SQL injection, do you use it ?
As a firewall, it look like it can be interesting to control charge too.

To prevent SQL injection, just use mysqli_real_escape_string.

3 Likes

WAFs tend to be annoying because of false positives. We had to turn it off on this forum, because it’s normal that people try to send SQL queries to the forum as part of a question about why a query doesn’t work.

WAFs can be useful as part of a layered security, but if you want to prevent SQL injection, the best method by far is to make sure your code is not vulnerable to SQL injection in the first place. You can do that by using parameterized queries or properly sanitizing input before sending it to the database. Using parameterized queries (meaning the database query and the data used in the query are sent to the database separately) are my favorite because it’s easy to forget to escape a parameter.

4 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.