On Jul 3, 2018, at 4:46 PM, Reindl Harald <h.reindl@thelounge.net> wrote:

Am 03.07.2018 um 22:42 schrieb Joel Esler (jesler):
On Jul 3, 2018, at 3:59 PM, Reindl Harald <h.reindl@thelounge.net
<mailto:h.reindl@thelounge.net>> wrote:

voila - all new connections which are more than 5 per hour from the same
IP are dropped, i have similar rules for specific ports and max
connections per client for many years now - no rocket science

Yes.  But measuring those numbers is the difficult part.  A fresh
install of ClamAV is going to download the main, the daily, then all the
diffs since the last daily, which could be a ton.  It's the people that
are downloading the *same* diff 1000x an hour that are the problem.

but these idiots are not fixed by the DNS record at all otherwise that
won#t exist - so it shows once more how useless and in total complex the
DNS/mirror split is instead have just a "version.txt" directly on the mirror

that would likely even solve the problem at all when they have whatever
crap which ignores the DNS (maybe because they have a broken network
with no DNS requests to the world but obviosuly http access to the
mirrors and so download it everytime)

I appreciate your point, and I'd love to streamline it.  But I'd like to figure out how to balance the overhead of a TCP connection vs the overhead of a super fast UDP connection.  Maybe there is a different way we can do the DNS query to make it smarter.

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com