jameshloving
commented
7 years ago No to FILO: adversary could just fill up device_log and wait. If >1 legitimate devices attempt to connect, all but 1 of them will not be logged. (log at 1000/1000 capacity. device A connects, kicks out device #1000, which was spoofed. device B connects, kicks device A off of log. device A reconnects, kicks device B off. etc...)
Options: FILO, shortest-total-time (would require tracking "last seen" per device)