Module ipset_ddos 

Kernel-level DDoS protection backed by Linux ipset + iptables

The production implementation of hashiverse_lib::transport::ddos::ddos::DdosProtection used by the real server. Layered on top of the in-RAM scoring logic from hashiverse-lib:

1. Per-IP DdosScore accumulates penalties for bad requests (e.g. invalid PoW, malformed packets) with linear time decay from hashiverse_lib::tools::config::SERVER_DDOS_DECAY_PER_SECOND.
2. When a score crosses hashiverse_lib::tools::config::SERVER_DDOS_SCORE_THRESHOLD, the IP is shelled out to ipset add against the set named by hashiverse_lib::tools::config::SERVER_DDOS_IPSET_SET_NAME, which an operator-configured iptables rule then drops at the kernel.
3. A short (≥10 s) throttle around the ipset call prevents hammering the subprocess in edge cases.

Per-IP concurrent-connection caps are enforced via a HashMap<String, usize> guarded by a parking_lot::Mutex, cutting off a single IP from monopolising all hashiverse_lib::tools::config::SERVER_DDOS_MAX_CONNECTIONS_PER_IP slots. The NET_ADMIN capability is required on the container — see the operator docs.

Structs

IpsetDdosProtection

Production DDoS protection backed by Linux ipset.