The fines system is an internal Kaspersky DDoS Protection mechanism. It assigns scores to IP addresses based on their activity and blocks them if necessary.
Various Kaspersky DDoS Protection filtering rules can charge fines. If a filtering rule detects suspicious activity from an IP address, it fines that address. Each IP address has its own fine counter.
Fines can accumulate. When the total amount of fines reaches 50, the IP address is blocked automatically. Each fine has a TTL. After TTL expires, the fine is no longer counted. When the total falls below 50, the block is removed automatically.
The System also supports negative fines. If an IP address has a negative total fine value, it is considered trusted: its traffic is not filtered, and it won't be fined again until its total becomes positive.