Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Security:Denial of service

From MoodleDocs
Important:

This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date.

Why not view this page on the new site and help us to migrate more content to the new site!

This page forms part of the Moodle security guidelines.

What is the danger?

A malicious user tries to overload your server, so it crashes or becomes very slow for legitimate users.

Or there may be some other way that they can make it impossible for legitimate users to use your site. For example, by using a cross-site scripting vulnerability to include the JavaScript window.close() in a forum post.


How Moodle avoids this problem

This is a very difficult type of attack to defend against, if the attacker is determined.

However, most of the really expensive operations in Moodle (for example completing a quiz) are only available to authenticated users, so by logging all requests from authenticated users, we help administrators identify culprits.


What you need to do in your code

  • There is very little you can do from PHP code.
  • However, every page access should be logged. This will help investigate who is to blame, if a problem arises. Call add_to_log from your scripts.
  • Follow general performance good practice, so your code does not consume more resources than necessary.


What you need to do as an administrator

  • There are various tools you can use (e.g. firewalls, proxies) to try to limit the number of requests coming into your server. If you have a problem, look into them, but we don't have space for a detailed description here.
  • Know how to use the logs to investigate problems.
  • Monitor performance on your servers, so you know what normal load looks like, and that you have enough hardware to cope with normal fluctuations in load.


See also