Adding one more safety belt for potential DOS attacks
For cases, where request blocking is activated (returning 429 status code for repeated requests), one more check was added: When such a block happens more than 15 times in a minute on the same URL from the same user, more requests for the same URL and user will be blocked until the minute is over. The user seese the message "This web server is only open for interactive usage".
Background: While request blocking works well for interactive users, it might not be sufficient for web clients running wild. Normally, after a 429, the user can reload the page to receive the content of a page. This leads to a sequence of requests of interleaved 200 and 429 status codes, which might be ignored by a bot (or ad DOS attack). When the requested page is slow, this can bring a server to its knees.
When request blocking is deactivated, this change has no effect.