I have rate limiting in place at the moment, but I regularly see spikes of requests from literally ~100 IPs within the same class-C network (I mean not a specific class-C, but various class-C’s).
I’m wondering if anyone can work out a way to create rate limiting rules that are not based around the absolute IP, but rather the /24 (or whatever you want for that matter) src IP range.
…all within 10 seconds, this exceeds 10 requests within the last 10 seconds for the /24 range… but not for the individual IPs, I’m after a way to say “if >10 in 10 seconds for /24 block” if that makes sense.
I’m trying to use this in the context of a URL + src based filter… but for the src I want the mask.
ie. base32+src,ipmask(24)
From what I can tell, this isn’t valid… is there any way to make it happen?
I (wrongly) assumed that the + was a concat operator, but it seems it isn’t universal.