[ic] Possible bug: Too many new ID assignments for this IP address

Mike Heins mike at perusion.com
Wed Aug 24 09:45:38 EDT 2005 

Quoting John1 (list_subscriber at yahoo.co.uk):
> On Wednesday, August 24, 2005 2:29 AM, mike at perusion.com wrote:
> 
 >
> >I am perfectly willing to believe I have screwed up, but I had thought
> >this had been addressed with
> >
> >Limit robot_expire 0.05
> >
> >This changes the 24-hour period to one hour. And since the first call
> >is always to count_ip() without incrementing the counter (and
> >therefore the mtime) the maximum lockout should be that one hour.
> >
>
> Do you mean "Since only the first call to count_ip() increments the counter 
> (and therefore the mtime) the maximum lockout should be that one hour?
> 
> If I am reading the code in count_ip correctly the addr_ctr/IP file will 
> only be deleted if its modified time is greater than "Limit robot_expire"
> 
> If I understand correctly, the code in sub new_session calls count_up(1) 
> (and therefore updates mtime if the addr_ctr/IP file already exists) each 
> time a new session is created.
> 
> Consequently the addr_ctr/IP file will keep counting up unless there is a 
> *gap* of greater than "limit robot_expire" before a new session id is 
> requested by the same IP address.

Yes, this is correct.

> 
> i.e.  So if you use "Limit robot_expire 0.05", provided there are at least 
> 2 requests per hour for a new session id from the same IP address the 
> addr_ctr/IP file will keep counting up forever.

Well, until it locks someone out for an hour.

> 
> Then after a few days or weeks RobotLimit will eventually be exceeded and 
> the IP address will then be *permanently* locked out.  By permanent I mean 
> until there is a gap of at least 1 hour between requests for new session 
> ids from the IP address in question.

Aha, there is my misunderstanding. I didn't see an hour as permanent.... 8-)

> 
> >If you have such traffic that you assign 100 legitimate IP addresses in
> >an hour, it means you would have to have a much better robot defense
> >than RobotLimit can supply....
> >
> So what I am saying above is that you don't need 100 accesses from the IP 
> address to maintain a lockout, you only need at least 2 each hour to 
> maintain the lockout situation.

This is correct.

Looking at it, it may indeed be less than ideal. Perhaps someone can
suggest an algorithm -- nothing clean and correct comes to my mind (new
file every day, counting down instead of up if time > Limit->robot_expire
* .1, etc.).

In the interim, I would think 

	Limit robot_expire 0.002

would work in all but the most extreme cases, where again I suggest you
need more than RobotLimit to defend you from the onslaught. 

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

Be patient. God isn't finished with me yet.  -- unknown

More information about the interchange-users mailing list