Paul Makepeace wrote:
IP 213.232.83.91 (Prodigy UK DSL) was hammering london.OG earlier; 5,000+hits in the last couple of hours.
Any thoughts on preventing this in future? Perhaps with Apache or at the application level. It isn't the first time it's happened either, and it drives the load on the machine way up. (Not as badly as the MT comment spammers however... b*stards.)
What I'd much prefer to see is for someone to come up with a workable, ideally executable, plan rather than just say 'check out mod_throttle' or whatever.
Assuming you're running under mod_perl, have a global hash of IPs and scores. Each score is a Tie::Scalar::Decay. For each page hit, check the score for the originating IP, and if above a threshold, system("stuff to filter out all packets from that IP"). Then increment the score.
You'll need to tweak the threshold and the decay parameters - that is, the time interval and the decay function.
You might like to also note somewhere what time each IP was blocked and periodically unblock them. You might also like to have the blocks expand themselves if there's already a block in place for a near neighbour of someone you're about to add to the naughty list.