Paul Makepeace wrote:
IP 188.8.131.52 (Prodigy UK DSL) was hammering
5,000+hits in the last couple of hours.
Any thoughts on preventing this in future? Perhaps with Apache or at the
application level. It isn't the first time it's happened either, and it
drives the load on the machine way up. (Not as badly as the MT comment
spammers however... b*stards.)
What I'd much prefer to see is for someone to come up with a workable,
ideally executable, plan rather than just say 'check out mod_throttle'
Assuming you're running under mod_perl, have a global hash of IPs and
scores. Each score is a Tie::Scalar::Decay. For each page hit, check
the score for the originating IP, and if above a threshold,
system("stuff to filter out all packets from that IP"). Then increment
You'll need to tweak the threshold and the decay parameters - that is,
the time interval and the decay function.
You might like to also note somewhere what time each IP was blocked and
periodically unblock them. You might also like to have the blocks
expand themselves if there's already a block in place for a near
neighbour of someone you're about to add to the naughty list.
header FROM_DAVID_CANTRELL From =~ /david.cantrell/i
describe FROM_DAVID_CANTRELL Message is from David Cantrell
score FROM_DAVID_CANTRELL 15.72 # This figure from experimentation