Bugtraq mailing list archives
Re: ratelimiting/concurrency limits both inadequate to stop TCP/IP DoS
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Fri, 2 Mar 2001 04:24:05 +0100
On Wed, 28 Feb 2001, bert hubert wrote:
I'm not certain weather its best to group ip addresses by /16 or /24 - /24 might consume too much memory, /16 might be too broad. Perhaps this should be a tunable parameter.
IMHO the best approach would be to group them automatically. The addresses and netblocks form a tree. You start with all leaves representing recorded groups being at the maximal level, i.e. exact IP addresses. Later, whenever you spot a subtree growing larger than desired, i.e. having too many nodes, you collapse the whole subtree into a single node, i.e. group them into one large netblock, and keep them grouped until the "number of their sins" drops below a reasonable limit. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: ratelimiting/concurrency limits both inadequate to stop TCP/IP DoS Pavel Kankovsky (Mar 02)