On 5 feb 2010, at 16:57, Jeroen Massar wrote:
Alexander Mayrhofer wrote:
[..]
A simple approach would be to aggregate requests by prefix (/64 or /56
or even /48?), and use that prefix instead of the full IP adress. This
problem is not specific to our WHOIS use case, but will show up in SMTP
rate limiting, ssh blacklisting applications, SIP registration servers,
etc..
Indeed, that is the most simple and obvious approach: per 'level' eg
chunked something in order of /64, /48, /40, /36, /32 if X
hosts/upper-levels in that level do something bad you aggregate to the
next level.
X could vary per level of course.
And please please please make this aggregation policy case based or never aggregated above /64. There are a lot of ISP's out there who have different productsm with very different address plans which are all in the same /32 and can be quite close together, with a default policy of /56 for broadband residential, /48 for business and /64 for mobile.
So what seem to be a good and decent aggregation for DSL can all of a sudden create huge problems as you unintentionally block or ratelimit 65.000 mobile users from that same ISP.