If one person that's connected to my server, is running a multirequest script that reconnects and continues no matter what, how can I stop it without affecting the other people that are connected to my server from the same ip? Is that even possible?
If src address cannot be used to differentiate, source port cannot be used to regognize same user, and requests have no identifier on higher level, then the "best" you can do is to limit the rate that connections are handled. That too affects all users (from that address).
You can't look at the transport or network layer, you need to look at the application layer. Is there anything in the data that would allow you to distinguish the attacker? For example, to stop or throttle a web scraper one might look at the client's user agent to distinguish bots from web browser.
If the traffic is indistinguishable at the application layer you'll have no choice but to block the IP.
It doesn't, dont be a Hitler. Non-regular rule breakers are refreshing. The important thing is that we make each other move forward.
For example, to stop or throttle a web scraper one might look at the client's user agent to distinguish bots from web browser.
A smart bot would just fake a user agent header.
Let's say it's distinguishable. At best, I can tell my ISP not to send me packages from the specific address (E.g. if something is missing in the headers or entire ip is banned).
In the worst case, everything has to be handled by my own machine/router. Attackers connect,(send), I close, attackers connect, (send), I close and this continues forever. I in fact never get control of the attack without the help of ISP. If it is blacklisted then ISP can prevent the request from reaching my server in first place. But without the assistance of ISP my machine/router can be kept under pressure for eternity, because the blacklist still needs to be handled when it arrives.
Basic Internet infrastructure will not block any traffic for any reason as long as it doesn't interfere with its systems. Their systems handle too much traffic to implement firewalls, let alone inspecting the application layer data. So, you can tell your ISP anything you want, but that doesn't mean they're obliged to do anything as a result.
If you don't want to accept traffic from that IP just block it at your firewall. It will still consume downstream bandwidth, but there's nothing you can do about that. At least your server won't use CPU time processing connections that will just be closed immediately.
If you set your firewall to block the packets it will reply to the source that the packet was rejected. If you set it to drop it won't send the notification and to the source it will be indistinguishable from the packet being lost in the network (e.g. because the IP doesn't exist). Blocking is what you do out of politeness when the source is friendly. Dropping is what you do with hostile traffic.
Which firewall? The one on the server machine?... That affects the same CPU. Or do you mean router?
If router... Can it handle the constant load alone no matter how large? If not, when do I know it needs reinforcement? Where can I see an indication of that
Which firewall? The one on the server machine?... That affects the same CPU. Or do you mean router?
Whichever one you prefer.
If router... Can it handle the constant load alone no matter how large? If not, when do I know it needs reinforcement? Where can I see an indication of that
How should I know? I don't what router you're using or what's the bandwidth between you and the other party.