Module ipset_ddos 

Kernel-level DDoS protection backed by Linux ipset + iptables

The production implementation of [hashiverse_lib::transport::ddos::ddos::DdosProtection] used by the real server. Layered on top of the in-RAM scoring logic from hashiverse-lib:

1. Per-IP DdosScore accumulates penalties for bad requests (e.g. invalid PoW, malformed packets) with linear time decay from [hashiverse_lib::tools::config::SERVER_DDOS_DECAY_PER_SECOND].
2. When a score crosses [hashiverse_lib::tools::config::SERVER_DDOS_SCORE_THRESHOLD], the IP is shelled out to ipset add against the set named by [hashiverse_lib::tools::config::SERVER_DDOS_IPSET_SET_NAME], which an operator-configured iptables rule then drops at the kernel.
3. A short (≥10 s) throttle around the ipset call prevents hammering the subprocess in edge cases.

Per-IP concurrent-connection caps are enforced via a HashMap<String, usize> guarded by a parking_lot::Mutex, cutting off a single IP from monopolising all [hashiverse_lib::tools::config::SERVER_DDOS_MAX_CONNECTIONS_PER_IP] slots. The NET_ADMIN capability is required on the container — see the operator docs.

Structs

IpsetDdosProtection

Production DDoS protection backed by Linux ipset.