Hi friends, "and now to something completely different: the larch"... ;-)
Some of you might know: http://www.zdziarski.com/projects/mod_evasive/ I'm just interested in some theoretical thoughts, if there would be a ns_evasive module... how to set up the "storage": Background (Remember: this is an Apache module): "Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following: * Requesting the same page more than a few times per second * Making more than 50 concurrent requests on the same child per second" (It then answers with a HTTP status code of 403 for a specified time) And (from the Apache-view): "This module instantiates for each listener individually [...] Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously." In our Naviserver-world, when storing requests of clients (IP) to objects on the server (whatever you consider a "page", say HTML/ADP; and all the other page elements on the other side), what could a possible plan look like: * do the key/value lookup via NSV arrays? * or thread-locally? Or everything in the first/the latter? If I want to guarantee, say, client X request a page Y only 2 times within 5 seconds, this leads to NSV ("guarantee"). But when I think of e.g. the 70 images referenced in Y... and some of them also referenced from page Y'2 with a browser not caching anything... hm. Is the " legitimate requests are never compromised" promise gained by a "server-wide-blindness" approach, a distribution of storage to the available processes? And would turning on / off keepalive introduce some subtle differences? cu Bernd.
