Yes, in normal conditions there are always two sessions from one address - tcp and udp. But I wouldn’t rely on this, what if everyone from one RDP server sits on another RDP server and they are happy with it?.. The idea is to ban exactly those who generate many sessions with zero orig-rate. If there is a session with a non-zero orig-rate, we place the address in the white-list and exclude it from checks. The solution is applicable not only to RDP, which is why was interested.
Statistics: Posted by DenSyo77 — Mon Jan 15, 2024 2:42 am