Re: ratelimiting/concurrency limits both inadequate to stop TCP/IP DoS

[Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>]

On Wed, 28 Feb 2001, bert hubert wrote:

> I'm not certain weather its best to group ip addresses by /16 or /24 - /24
> might consume too much memory, /16 might be too broad. Perhaps this should
> be a tunable parameter.

IMHO the best approach would be to group them automatically. The addresses
and netblocks form a tree. You start with all leaves representing recorded
groups being at the maximal level, i.e. exact IP addresses. Later,
whenever you spot a subtree growing larger than desired, i.e. having too
many nodes, you collapse the whole subtree into a single node, i.e. group
them into one large netblock, and keep them grouped until the "number of
their sins" drops below a reasonable limit.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."