On 2009-02-04, Alec Matusis wrote: > 1) Create an dictionary {ip1:count1, ip2: count2, .} in the server, and > check the counts for each incoming connection. > Disconnect with transport.loseConnection() if the threshold for ip:count is > exceeded. > Reset this dictionary to empty dict {} every minute with reactor.callLater > timer. > > 2) Use some Twisted rate limiter API that I am not familiar with? > > 3) Use iptables rate-limiting module like so: > iptables -I INPUT -p tcp --dport 8888 -i eth0 -m state --state NEW -m recent > --set > iptables -I INPUT -p tcp --dport 8888 -i eth0 -m state --state NEW -m recent > --update --seconds 60 --hitcount 10 -j DROP
I would recommend approach (3) because approach (1) will do an accept() of the connection and then drop it, giving the host on the other end a syn/ack transaction followed by a closed connection, and then it will probably attempt to reconnect immediately. Whereas (3) relies on the tcp/ip stack of the connecting host to send a bunch of syn packets until it gets through, or times out and follows its timeout logic. -- Regards, Stephen Thorne Development Engineer NetBox Blue - 1300 737 060 NetBox Blue is proud to be a sponsor and exhibitor at IBM's Solutions Showcase 2009 events. These are held in Perth, Adelaide, Brisbane, Sydney and Melbourne in February and March. For more details and to register please visit: http://www.ibm.com/solutionsshowcase/au Scanned by the NetBox from NetBox Blue (http://netboxblue.com/) _______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python