Alexander Mayrhofer wrote: [..] > A simple approach would be to aggregate requests by prefix (/64 or /56 > or even /48?), and use that prefix instead of the full IP adress. This > problem is not specific to our WHOIS use case, but will show up in SMTP > rate limiting, ssh blacklisting applications, SIP registration servers, > etc.. Indeed, that is the most simple and obvious approach: per 'level' eg chunked something in order of /64, /48, /40, /36, /32 if X hosts/upper-levels in that level do something bad you aggregate to the next level. X could vary per level of course. Very crude, but very effective, as at a /32 you will have blocked the full ISP if they are 'bad' as seen from your policy point of view. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature