On 23 Jan 2015, at 21:20, Winfield, Alister <Alister.Winfield@bskyb.com> wrote:
Real life suggests 100:1 bad login to good login attempts. Mostly because the bad cases just try again and again and again and vendors haven¹t heard of backing off on failure.
If its normal and not actively malicious clients, try caching the rejects for a short period to avoid bothering to go through the full logic on every request.
Yes, the best solution for that is probably a holding pen, thats the strategy other other ISPs have adopted to prevent spurious re-authentication attempts. Just send back a different set of tunnel end-points and reduce the Session-Timeout. Works rather well for throttling re-authentication attempts. That or you build a system that can handle the load, which is actually fairly easy with modern hardware and an LDAP or REDIS backend. Other options are using the caching module to send back a canned reject for n minutes. -Arran