Do you even need to store ips? Just count accepted connections and every, say, 1000th connection check current time, if less than a second elapsed since previous check, close the listening socket. Isn't ddos caused by packet congestion rather than server processing?
> Just count accepted connections and every, say, 1000th
> connection check current time, if less than a second
> elapsed since previous check, close the listening socket.
Then you risk killing genuine traffic. Above average hit from a handful of locations is more likely to be abuse.
> Isn't ddos caused by packet congestion rather than server
> processing?
From what I understand, a DDoS attack any pat of your system, usually the part that is the slowest. You want to kill attacking traffic as quickly as possible without affecting genuine traffic. As for attacks on the network itself, this is where you rely on your cloud service provider.
Some forms of ddos are focused on layer 7, but these are not the problem.
The ddos attacks that are actually difficult to deal with are the layer 3, multi-hundred gigabit attacks. Which in our new IoT reality, are not uncommon.
