We are facing the similar DDOS situation to you.
I'm developing a module
which can deny the individual IPs. The module can
get the IPs with a
POST request from a commander server in the
intranet. If you have some
suggestions, you can contact to me.
Being able to interrogate the server for a list of bad IPs is an
excellent idea, it would allow people to make their own firewall-block
The main suggestion I have is that the module supports this kind of
If an IP has requested more than X pages in the last Y seconds, then
serve only 503 errors to that IP for the next Z seconds, and use at most
W megabytes of RAM for the bad-IP pool.