[ic] Possible bug: Too many new ID assignments for this IP address
Mike Heins
mike at perusion.com
Wed Aug 24 09:45:38 EDT 2005
Quoting John1 (list_subscriber at yahoo.co.uk):
> On Wednesday, August 24, 2005 2:29 AM, mike at perusion.com wrote:
>
>
> >I am perfectly willing to believe I have screwed up, but I had thought
> >this had been addressed with
> >
> >Limit robot_expire 0.05
> >
> >This changes the 24-hour period to one hour. And since the first call
> >is always to count_ip() without incrementing the counter (and
> >therefore the mtime) the maximum lockout should be that one hour.
> >
>
> Do you mean "Since only the first call to count_ip() increments the counter
> (and therefore the mtime) the maximum lockout should be that one hour?
>
> If I am reading the code in count_ip correctly the addr_ctr/IP file will
> only be deleted if its modified time is greater than "Limit robot_expire"
>
> If I understand correctly, the code in sub new_session calls count_up(1)
> (and therefore updates mtime if the addr_ctr/IP file already exists) each
> time a new session is created.
>
> Consequently the addr_ctr/IP file will keep counting up unless there is a
> *gap* of greater than "limit robot_expire" before a new session id is
> requested by the same IP address.
Yes, this is correct.
>
> i.e. So if you use "Limit robot_expire 0.05", provided there are at least
> 2 requests per hour for a new session id from the same IP address the
> addr_ctr/IP file will keep counting up forever.
Well, until it locks someone out for an hour.
>
> Then after a few days or weeks RobotLimit will eventually be exceeded and
> the IP address will then be *permanently* locked out. By permanent I mean
> until there is a gap of at least 1 hour between requests for new session
> ids from the IP address in question.
Aha, there is my misunderstanding. I didn't see an hour as permanent.... 8-)
>
> >If you have such traffic that you assign 100 legitimate IP addresses in
> >an hour, it means you would have to have a much better robot defense
> >than RobotLimit can supply....
> >
> So what I am saying above is that you don't need 100 accesses from the IP
> address to maintain a lockout, you only need at least 2 each hour to
> maintain the lockout situation.
This is correct.
Looking at it, it may indeed be less than ideal. Perhaps someone can
suggest an algorithm -- nothing clean and correct comes to my mind (new
file every day, counting down instead of up if time > Limit->robot_expire
* .1, etc.).
In the interim, I would think
Limit robot_expire 0.002
would work in all but the most extreme cases, where again I suggest you
need more than RobotLimit to defend you from the onslaught.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.647.1295 tollfree 800-949-1889 <mike at perusion.com>
Be patient. God isn't finished with me yet. -- unknown
More information about the interchange-users
mailing list