dos attack

Hi Experts,
We were hit with a nasty DOS attack last night - what are you guys
doing to block this? Is this something the Anti-Sammy plug-in is
supposed to block?

Thanks guys - Rob

if are using Windows server please read the following issue.


2012/6/26 Rob Daniels <>

Thanks guys - i have blocked that hacker’s IP in the firewall, but it’s easy to spoof and show a different IP. The attack produced thousands of errors in our coldfusion logs. I believe the hacker looked at the source for our addToCart form and wrote a bot to hit it thousands of times with variable garbage info.

I don’t want to block legitimate bots like googlebot - but it would be nice if there was a plug-in that looked for a pattern - like 100 database errors from the same IP within 2 minutes - and blocked that IP from accessing the site for a period of time. I can build something - but thought i’d post here first to see if you guys had used something in the past you liked

Have you thought about using something like FuseGuard to protect the app from attackes like these? I have used it in the past with great success to stop these attacks.


I was thinking Foundeo’s Web Application Firewall ( had a filter to limit the number of hits your site got from a single IP, but I don’t see it on the description page right now.

It probably wouldn’t be too hard to write some code that counts how many times an IP address hits your application and if the count exceeds a threshold, start aborting.

Use this as a starting point:



FuseGuard has a “repeat offender” thing that will block an ip address after multiple infractions.

Thanks guys - i’ll check it out

If you like a coldbox dev approach try the following interceptor i wrote to prevent from overload the system. it sort of greylists ip’s fro a moment you define. check configure method.

of course the mentioned hardware and firewall approach is better performing, but if you wan’t to prevent users from trying things out it helps sometimes. remove the logging to improve speed.

component name = “LogoutInterceptor”
hint = “this interceptor blocks all requests above a certain threshold”
extends = “coldbox.system.interceptor”
autowire = “true”
singleton {

property name = “log” inject=“logbox:logger:{this}” ;

public void function configure() {
this.threshold = 1000; // number of requests
this.timing = 10; // not more than nn requests per “nn” seconds allowed
this.block = 60 // requests from this ip are blocked for “nn” seconds

public boolean function preEvent(event) {
var rc = event.getCollection();
if (!structKeyExists(application, cgi.remote_addr)) {
application[cgi.remote_addr] = {
requests = 1,
timer = getTickCount(),
blocked = false
else {[cgi.remote_addr]));
application[cgi.remote_addr].requests ++;

if (getTickCount()-application[cgi.remote_addr].timer gt this.block1000 and application[cgi.remote_addr].blocked) {
log.debug(‘blocking released for #cgi.remote_addr#’);
structDelete(application, cgi.remote_addr, false);
else if (getTickCount()-application[cgi.remote_addr].timer gt this.timing
1000 and application[cgi.remote_addr].requests gt this.threshold) {
application[cgi.remote_addr].blocked = true;‘limit #this.threshold# reached within #this.timing# and ip #cgi.remote_addr# blocked for #this.block#’);

return false;

Markus. That is awesome can you add it to forgebox?