Listing 1: Create database table

CREATE TABLE sessions (
id int IDENTITY (1,1) NOT NULL,
urltoken varchar(12),
ipaddress varchar(15),
template varchar(150),
firsthit datetime,
lasthit datetime,
pages int
)

PRIMARY: id
INDEXES: urltoken, lasthit



Listing 2: Tracking our sessions

<!--- check for current cfid and cftoken in query --->
<cfquery name="exists" datasource="dos">
SELECT id FROM sessions WHERE urltoken = '#cfid##cftoken#'
</cfquery>
<!--- if exists, update, otherwise add new --->
<cfif exists.recordCount gt 0>
<cfquery name="updateHit" datasource="dos">
UPDATE sessions SET lasthit = #Now()#,
template = '#cgi.script_name#',
pages = pages + 1
WHERE id = #exists.id#
</cfquery>
<cfelse>
<cfquery name="insertHit" datasource="dos">
INSERT INTO sessions (urltoken,ipaddress,template,firsthit,lasthit,pages)
VALUES ('#cfid##cftoken#','#cgi.remote_addr#','#cgi.script_name#',
#Now()#,#Now()#,1)
</cfquery>
</cfif>



Listing 3: checkDoS.cfm scheduled script

<!--- delete old records --->
<cfquery name="getOld" datasource="dos">
DELETE FROM sessions
WHERE lasthit < #CreateODBCDateTime(DateAdd("n",-60,Now()))#
</cfquery>

<!--- check for attacking IPs --->
<cfquery name="check" datasource="dos">
SELECT ipaddress, count(urltoken) as hitCount FROM sessions
GROUP BY ipaddress
HAVING count(urltoken) > 50
ORDER BY count(urltoken) DESC
</cfquery>

<!--- set bad ip list --->
<cfset application.DoS = ValueList(check.ipaddress)>



Listing 4: Halting invalid sessions

<cfif ListFind(application.DoS,cgi.remote_addr)>
<h2>DoS Attack Suspected!!!</h2>
<cfabort>
</cfif>