<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Or, if you didn't want to hit your slow DB, create a well known key that contains all IPs over a certain threshhold. Thus when a specific IP reaches 100 hits, put it on the list for later analysis. Once an hour or so, harvest the data.<DIV><BR class="khtml-block-placeholder"></DIV><DIV>This doesn't help much with AOL. They put all their users through specific gateway addresses. (at least they did about 18 months ago)<DIV><BR><DIV><DIV>On Dec 4, 2006, at 6:51 PM, Jason Pirkey wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite">Yes -- every X number of requests over the initial threshold -- a simple if and mod.<BR><BR><DIV><SPAN class="gmail_quote">On 12/4/06, <B class="gmail_sendername">Jed Reynolds</B> <<A href="mailto:lists@benrey.is-a-geek.net"> lists@benrey.is-a-geek.net</A>> wrote:</SPAN><BLOCKQUOTE class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Jason Pirkey wrote:<BR>> Jed:<BR>><BR> > If you are analyizing for attacks, it would be easier to do a real<BR>> time analysis with memcached, because at that point you will have the<BR>> IP address you are looking for -- do a hit to memcache to get its <BR>> counter and act accordingly (saving it to the database for later<BR>> analysis if it hits a certain threshold for instance. This way you<BR>> will not have to do scanning of memcache and post processing.<BR> <BR>Good idea, Jason, thanks! So if I'm tracking a high volume IP the way to<BR>track them is to record their status to database every 1,000 requests<BR>(e.g.) and not every request over the threshold.<BR><BR>Jed<BR></BLOCKQUOTE> </DIV><BR></BLOCKQUOTE></DIV><BR></DIV></DIV></BODY></HTML>