dr|z3d
pfft to you too :P
dr|z3d
so where did we get to with the max concurrent connections per client, zzz?
zzz
dr|z3d, re: max conns per client, nowhere, we have no code for that
dr|z3d
can't the total max conns code be adapted?
zzz
sure, at the cost of CPU or memory. The total count is "free" because all the conns are stored in a map
zzz
so we'd have to loop thru all the conns to count every time, which is O(n**2), or keep another batch of counters
dr|z3d
I guess it's a question of whether or not you see value in having it available in the arsenal of anti-asshat tools :)
zzz
there's no limit to what we could do, but there has to be a balance
dr|z3d
sure, cost benefit analysis.
dr|z3d
it wouldn't hurt in terms of i2p's anti-ddos credentials, i2p is already being touted at better than Tor in terms of anti-ddos mitigations in various circles, not least wrt darknet markets.
zzz
yeah but a lot of this is coming from your current outproxy problems which is a niche usecase. any normal server software e.g. apache has a raft of throttling/blocking tools
dr|z3d
I think it has a broader application than just the outproxy, though the outproxying stuff does expose some of the limitations of the current mitigations.
dr|z3d
and ideally you want to filter and block requests before they hit the backend server, not rely on the server to handle abuse.
mesh
I mean iterating over a map ought to be really fast
mesh
even a map with thousands of objects
mesh
zzz: there is a way to banlist routers right? Is there an API for that available to native apps?
dr|z3d
i2ptunnel/ConnThrottler.java and i2ptunnel/access/ mesh.. those are the current tools.
mesh
dr|z3d: ConnThroller isn't public... there's no way for an app to programatically tell the Router, "Hey, don't accept any more connections from this Router (for the next 30 minutes)?"
dr|z3d
you don't block routers, you block destinations.
dr|z3d
blocking routers isn't part of i2ptunnel, which is what we're discussing indirectly.
mesh
ah it's a good point
dr|z3d
what you're referring to is: javadoc.skank.i2p/net/i2p/router/RouterContext.html#banlist()
mesh
you would want to actually ban a (Destination:src,Destination,port) pair... not an actual IP
zzz
clients know nothing about routers
mesh
it's too bad because Destinations are cheap, ip addresses are not
dr|z3d
the moment you can identify a router from a client destination, it's game over.
zzz
there is a global dest ban config but it's limited