Currently I have one firewall rule that blocks all the outgoing traffic to IP addresses from “block-out” list.
In this list there are three address ranges which I would like to enable/disable on some triggers.
I would like to prevent excessive usage of a web site to which all three ranges belong (i.e. frequent requests within some adjustable time span - 10 minutes or 1 hour) and, if detected, force people to make an one hour pause. If a person makes 10-minute pauses, there should no blocking occur.
My equipment is RB2011UiAS-2HnD-IN with RouterOS 6.34.
Currently I see the blocking based on counters if they are accessible from firewall rules or user scripts:
- Detect request to one of address ranges and remember the detection flag for one hour (traffic to any of three address ranges should be detected as a “request to the site” regardless of actual address). If there is already a flag set, do not refresh it’s timeout.
- Near to the end of timeout look at the counter of the rule. If there were too many requests (not bytes) sent, put all three ranges to the blocking list for one hour. Do not detect any traffic to the three address ranges within this hour.