On Fri, 22 Jan 2010, Emil wrote: > I'm curious though as why you block them completely, instead of just > have them put under some concurensy-limit. The addresses are already under the concurrency limit as described in the original post. The netfilter kicks in when there is certain volume (requests per minute) EXCEEDING the concurrency limit. A human being exceeding the concurrency limit gets a HTTP 503 service unavailable message and will hopefully try again only after some time, when the concurrency limit is not being exceeded. Well, that is plan, anyway. -- sriram