Why a well anti flood protection for my website redirects in strange cases?

Question

I have he following anti flood protection for my php website:

<?php
if (!isset($_SESSION)) {
    session_start();
}
// anti flood protection
if ($_SESSION['last_session_request'] > time() - 2){
    // users will be redirected to this page if it makes requests faster than 2 seconds
    echo "Stay out!";
    exit;
}
$_SESSION['last_session_request'] = time();

?>

It works fine because the website becomes stable after I added (15 days ago), but has a problem. To understand de problem you can go to the website attacked (http://www.lamejortoros.com/) and you will see:

If you are in the main page or click in one of the articles it navigates well.

BUT

If you go to Cronicas, Contactenos or Miembros section it shows: Stay out!

I want to understand why it happens and if is possible how to solve it?

Thanks.

Answer 1

Do the following steps:

1. Install firebug (or if your browser has a debug process use it).
2. Open Network tab (To see what happens on the backend).
3. Watch what happens when you click those links.

What happens is that you are hitting your website twice. First it hits a 301 redirect, then the actual page. Causing it to count as 2 visits, thus failing. You can solve it by increasing the number of visits you assume it is a bot.

Imo you are doing it wrong. Anti DDOS protection should be on server level not script level. I can have cookies disabled and you hit your website as many times as I want without issues. Additionally bots do not store cookies so everytime they have a new session.