--On fredag, januari 22, 2010 17.41.17 +0530 "Prof. P. Sriram" sriram@ae.iitm.ac.in wrote:
On Fri, 22 Jan 2010, Karanbir Singh wrote:
On 01/22/2010 08:43 AM, Prof. P. Sriram wrote:
We had a similar issue at the centos (and other stuff) mirror at ftp.iitm.ac.in some months ago. We have solved it effectively using per ip connection limit and fail2ban.
The problem with this is that you have efectively made your mirror non usable for office's and orgaisations that only have 1 ip address to the world. There are quite a few of them.
I believe a correction might be in order - we have made it non-usable for those that have 1 ip address and want to download at a rate exceeding 5 active connections per minute. Do you know of any such organizations? Shouldn't they be enhancing their connectivity?
I'm not getting into the "right/or/wrong" aspects of this, as both of you have valid points.
I'm curious though as why you block them completely, instead of just have them put under some concurensy-limit.
As I understand it you are uinjecting rules to netfilter to have the abusing addresses blocked, so I think it sould be simple enough to put a limit on these addresses using the same injection mecanism. Or?
Regards, Emil