Some other thoughts...
It looks like your current methodology is for non-white listed clients, to check if they're already identified as a spammer. If not, add them to a user array with a timestamp. If they surpass the max TCP connection count within a given timeframe, add them to the spammers array. The only time a spammer is removed from the spammer array is if they make subsequent requests without exceeding the request/timeframe threshold. A user IP is never cleared.
You could use the session table (
Click here) instead of arrays. There is a native timeout option when adding entries to the table. I'm not sure what the upper limits are on the number of records the session table can hold though. You could create a single entry per client IP address. I think this would be more efficient than maintaining separate lists of users and the "spammers".
You'd end up with an even smaller number of records if you only tracked current connections--rather than the connections over a period of time. The session table entry would contain the client IP address and a count of current connections. You could check if the count is over the maximum for each request before allowing the request. You could add logic to decrement the count in CLIENT_CLOSED, when the TCP connection is closed.
If you did want to track connections over a period of time and enforce a threshold, I think you'd need to stick with an array. There isn't a method for counting the number of session table entries that match a session key. There has been mention of this, but I haven't seen any concrete info.
An example command to add an entry would be:
session add uie [IP::client_addr] $count $timeout_in_seconds
You can get the count for the particular client using:
set count [session lookup uie [IP::client_addr]]
Aaron