diff --git a/router/java/src/net/i2p/router/Banlist.java b/router/java/src/net/i2p/router/Banlist.java
index 113f4a6699..38a76dfbd2 100644
--- a/router/java/src/net/i2p/router/Banlist.java
+++ b/router/java/src/net/i2p/router/Banlist.java
@@ -69,6 +69,15 @@ public class Banlist {
     public final static long BANLIST_DURATION_NO_NETWORK = 30*24*60*60*1000L;
     public final static long BANLIST_DURATION_LOCALHOST = 2*60*60*1000;
     private final static long BANLIST_CLEANER_START_DELAY = BANLIST_DURATION_PARTIAL;
+
+    /**
+     *  A ban that expires after this will return true in isBanlistedForever().
+     *  In the transports, "forever" is treated as a hard ban, and both
+     *  inbound and outbound connections will be rejected.
+     *  Not-forever is treated as a soft ban, with outbound rejected
+     *  but inbound will be allowed and will automatically unban.
+     */
+    private static final long BANLIST_FOREVER_THRESHOLD = 24*60*60*1000L;
     
     public Banlist(RouterContext context) {
         _context = context;
@@ -336,9 +345,12 @@ public class Banlist {
         return rv;
     }
     
+    /**
+     *  @return true if banned and expires more than 24 hours from now
+     */
     public boolean isBanlistedForever(Hash peer) {
         Entry entry = _entries.get(peer);
-        return entry != null && entry.expireOn > _context.clock().now() + 2*24*60*60*1000L;
+        return entry != null && entry.expireOn > _context.clock().now() + BANLIST_FOREVER_THRESHOLD;
     }
 
     /** @deprecated moved to router console */
diff --git a/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java b/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
index 78144891cc..a678d3c935 100644
--- a/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
+++ b/router/java/src/net/i2p/router/transport/udp/InboundEstablishState2.java
@@ -253,8 +253,11 @@ class InboundEstablishState2 extends InboundEstablishState implements SSU2Payloa
             // see SSU2Payload: RI format error, signature was verified there, so we can take action
             _context.blocklist().add(_aliceIP);
             Hash h = _receivedUnconfirmedIdentity.calculateHash();
+            // these really hammer the floodfills, so reduce the time on floodfills
+            // so the banlist doesn't get huge
+            long time = _context.netDb().floodfillEnabled() ? 36*60*60*1000 : 4*24*60*60*1000;
             _context.banlist().banlistRouter(h, "Signed bad RI", null,
-                                             null, _context.clock().now() + 4*24*60*60*1000);
+                                             null, _context.clock().now() + time);
             throw new RIException("RI DFE " + h.toBase64(), REASON_BANNED);
         }