pub const PER_SOURCE_BUCKETS: usize = 256;Expand description
Number of bounded buckets for the per-source connect-rate counter.
incr! requires a &'static str, so per-IP labelling would either need
runtime Box::leak per unique source (unbounded under SYN flood — direct
OWASP A05 / NIST SP 800-92 cardinality-blow-up risk) or a fixed bucket
table. We pick the bucket table: 256 static labels precomputed at startup,
each masked subnet hashes into one of them.
Bucket-noise vs per-IP fidelity is a deliberate trade. Operators wanting per-IP attribution should pair these counters with structured access logs or a downstream rate-limiter; the metric here is for “is some /24 spamming us right now?”, not “which IP exactly”. 256 buckets keep the memory + UDP statsd cost flat regardless of attacker effort.