I don't know how to do it, but it would be *really* cool if IP addresses could be rate-limited and serialized inside the AOLServer core without having to resort to proxying every incoming connection through another piece of software.
Several things would be needed: 1. An interface to set/query the list of IP addresses with special handling. 2. Options for each IP address: a) max concurrent requests b) minimum delay between requests c) ignore request? (y/n - close connection immediately) Options a & b would be exclusive; maybe they could be combined somehow. Options c could be easily implemented in a TCL filter if necessary 3. A small pool of lower-priority threads to service the special IP's. All requests from flagged IP's would be sent to only these threads. If they are all busy, the request has to wait. Rather than do this just by IP address, maybe it needs to be by "class", where an (optional?) external TCL classification script assigns the class. For example, a search engine may send 5 machines to our site to spider us simultaneously. Once this is detected, all of the IP's can be put into the same class so that this search engine crawler can only do 1 page fetch every 5 seconds, no matter how many different machines it uses. The default class could be the IP address. Combined with a monitoring utility to dynamically adjust the IP list (that could be done outside the core with a TCL filter), his would be a great tool for slowing down user client site downloads, web crawlers, DOS attacks, alerting about potential attacks - all kinds of good uses. Jim > > Hello, > > What is the best way to limit the number of simultaneous requests from > one ip-address? Is it possible to achieve that via aolserver > configuration? Or do I have to look into something like snort? > > Last Friday I got about 10reqs/sec from one funny user who wanted to > copy the entire site. She downloaded 700MB in about 25minutes. This was > quite bad for the overall performance of the server. > > Many TIA, > > peter >