[ic] Possible bug: Too many new ID assignments for this IP address

John1 list_subscriber at yahoo.co.uk
Tue Aug 23 17:30:08 EDT 2005 

In October 2004 I posted:
http://www.icdevgroup.org/pipermail/interchange-users/2004-October/041215.html
explaining what I thought was a bug which can result in *permanently* 
blocked access to Interchange sites from ISPs who use proxy servers.

To avoid this problem we are currently running with "RobotLimit 0", so it's 
not really causing us a problem any more (although it would be nice not to 
have to use RobotLimit 0).

Here is the sub count_ip code (which is still the same as it was in October 
2004):

sub count_ip {
 my $inc = shift;
 my $ip = $CGI::remote_addr;
 $ip =~ s/\W/_/g;
 my $dir = "$Vend::Cfg->{ScratchDir}/addr_ctr";
 mkdir $dir, 0777 unless -d $dir;
 my $fn = Vend::Util::get_filename($ip, 2, 1, $dir);
 if(-f $fn) {
  my $grace = $Vend::Cfg->{Limit}{robot_expire} || 1;
  my @st = stat(_);
  my $mtime = (time() - $st[9]) / 86400;
  if($mtime > $grace) {
   ::logDebug("ip $ip allowed back in due to '$mtime' > '$grace' days");
   unlink $fn;
  }
 }
 return Vend::CounterFile->new($fn)->inc() if $inc;
 return Vend::CounterFile->new($fn)->value();
}

I believe crux of the problem is that this code is checking the last 
*modified* time which actually has the effect of *permanently* blocking 
large ISPs who use a relatively small number of proxy servers.

##########  snippet from my post in October 2004:
So, here is the problem:  any IP address that is typically allocated more
than 1 session id in a 24 hr period will never get its addr_ctr file
expired.  i.e.  There needs to be a full 24 hr period without access from
the same IP address before the addr_ctr file will be deleted thus
re-allowing access from that IP address.  For large ISPs using a relatively
small number of proxy servers this may *never* happen, and so access
from their proxy servers is permanently blocked.
##########

i.e.  "RobotLimit X" is supposed to block accesses from IP addresses that 
have been allocated more than X SessionIDs in a 24 hour period, but in 
actual fact what it is really doing is *permanently* blocking IP addresses 
that have been allocated more than X SessionIDs without there ever being a 
*gap* of more than 24 hours before allocation of the next SessionID.

A fuller explanation can be found in my original post:
http://www.icdevgroup.org/pipermail/interchange-users/2004-October/041215.html

Thanks

More information about the interchange-users mailing list