Rack Attack: Protection from abusive clients

Nice. I was really hoping it protected me from a very different kind of "abusive client" though. I guess there are somethings that even in ruby you can't do easily.

iptables can limit the number of connections per ip in a "cheap" (fast/early) way. In fact is my #1 use of iptables since blocking ports where there are no services doesn't do much.

Maybe I'm missing something, but this seem like something that would only be useful in situations where you don't have access to anything "closer" to the network requests (router, firewall, webserver) that you can tweak to handle these types of things.<p>So it's something that's good for Heroku apps?

My first question is how this works when you have more than one server.<p>It's not mentioned in the article, but this implementation uses the standard Rails Cache:<p><a href="https://github.com/kickstarter/rack-attack/blob/master/lib/rack/attack/cache.rb" rel="nofollow">https://github.com/kickstarter/rack-attack/blob/master/lib/r...</a><p>There are particular hooks in there for Redis. So if you've got "n" servers, it seems the preferred approach is to use a central Redis store.

I used fail2ban to block abusive ips (based on string matching of specific errors in our logs). This seems like an interesting alternative though to keep things under one roof.

This seems like a vulnerability in their implementation: "configure your proxy to set the X-Forwarded-For header with the source IP"