On Jul 3, 2018, at 4:46 PM, Reindl Harald <h.rei...@thelounge.net<mailto:h.rei...@thelounge.net>> wrote:
Am 03.07.2018 um 22:42 schrieb Joel Esler (jesler): On Jul 3, 2018, at 3:59 PM, Reindl Harald <h.rei...@thelounge.net<mailto:h.rei...@thelounge.net> <mailto:h.rei...@thelounge.net>> wrote: voila - all new connections which are more than 5 per hour from the same IP are dropped, i have similar rules for specific ports and max connections per client for many years now - no rocket science Yes. But measuring those numbers is the difficult part. A fresh install of ClamAV is going to download the main, the daily, then all the diffs since the last daily, which could be a ton. It's the people that are downloading the *same* diff 1000x an hour that are the problem. but these idiots are not fixed by the DNS record at all otherwise that won#t exist - so it shows once more how useless and in total complex the DNS/mirror split is instead have just a "version.txt" directly on the mirror that would likely even solve the problem at all when they have whatever crap which ignores the DNS (maybe because they have a broken network with no DNS requests to the world but obviosuly http access to the mirrors and so download it everytime) I appreciate your point, and I'd love to streamline it. But I'd like to figure out how to balance the overhead of a TCP connection vs the overhead of a super fast UDP connection. Maybe there is a different way we can do the DNS query to make it smarter. -- Joel Esler Sr. Manager Open Source, Design, Web, and Education Talos Group http://www.talosintelligence.com
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml