Iíve known for a while that in the case of changing AOL IPs my velocity triggered events could be better implemented. I still trap some situations but things could be much better. Some time ago I also implemented an embedded IP trap in the web site logic of some functions. Today I realized that the multiple per session, ever changing, AOL IP ďfeatureĒ breaks that logic. Bugger. I need to address the AOL changing IP situation.
Looking back over the logs it appears that:
. gethostbyaddr - not all AOL IPs yield a host name; those that do resolve end in proxy.aol.com. . UA always seem to contain AOL . The first three IP octets appear to be constant.
To address the the AOL problem Iím currently thinking about changing to a technique where I identify AOL visitors based on UA (and maybe host name), use only the first three octets of AOL visitors IPs and possibly appended with a hash of some sort per session. That would restore velocity traps to full function and I could re-implement the IP logic trap.
When dealing with shared IP pools such as AOL and others you need to put special time limits on the quarantine period, such as an hour instead of 24 hours.
Amazingly, many bad bots accept cookies because some sites won't work unless you accept cookies, so I feed them a session cookie and it tracks them across multiple IP addresses on AOL so once I flag the session as bad, you can run, hop IPs, whatever, but until you toss that cookie, you're still blocked ;)