Personally I think for an application like Rabbit (I'm not familiar with this) to connect to '5' primaries that just happen to be 5 'modified client' faker monitors would be immensly unlikely. I don't know how many primaries are generally active on the WPN, maybe 10-20,000 at any given time (?), and say 10 of those are 'faker monitors', well, what chance would there be for a single client call upon a cache or caches and receive the addresses of, and connect to, '5' of those 10 monitors from a pool of 10-20,000?
I agree about the monitoring for multiple connection attempts problem. I've seen it myself where some fakers will only attempt to connect a 'single' time, whereas others will hammer on all day. Just mentioned it as being at least one thing that fakers tend to do that normal clients don't.
"there is also the idea of having a primary that receives the shared files list from the client, then checks that for flooders" - I can't imagine how you'd go about checking such a client unless by a rudimentary shared-files path check or something (user+files?).
Anyway, I'll leave it be now. Good luck with the mission, maybe one day you'll actually have an impact (not meaning to be mean, but... (and you'd probably be a damn site more effective if not for 'the others';) )). :PP
attack suggestion removed - perhaps it has already been done? but don't want to give people ideas[/edit]