void analyze_country_enter_cb(int result, char type, int count, int ttl, void *addresses, void *arg) { struct country_state *state = arg; struct addr *src = &state->src; struct keycount tmpkey, *key; char tld[20]; if (result != DNS_ERR_NONE || count != 1 || type != DNS_PTR) { /* Enter into our negative cache */ if (!state->result_from_cache) { tmpkey.key = &src->addr_ip; tmpkey.keylen = sizeof(src->addr_ip); key = SPLAY_FIND(kctree, &country_cache, &tmpkey); if (!key) { key = keycount_new( &src->addr_ip, sizeof(src->addr_ip), NULL, NULL); SPLAY_INSERT(kctree, &country_cache, key); } count_increment(key->count, 1); } strlcpy(tld, "unknown", sizeof(tld)); } else { const char *hostname = *(char **)addresses; int i; /* Extract the country key */ for (i = strlen(hostname) - 1; i >= 0; --i) { if (hostname[i] == '.') { i += 1; break; } } strlcpy(tld, hostname + i, sizeof(tld)); for (i = 0; i < strlen(tld); i++) { if (isdigit(tld[i])) { strlcpy(tld, "unknown", sizeof(tld)); break; } tld[i] = tolower(tld[i]); } } tmpkey.key = tld; tmpkey.keylen = strlen(tmpkey.key) + 1; if ((key = SPLAY_FIND(kctree, &countries, &tmpkey)) == NULL) { key = keycount_new(tld, strlen(tld) + 1, aux_create, aux_free); SPLAY_INSERT(kctree, &countries, key); } /* If the address is new, we are going to resolve it */ if (aux_enter(key->auxilary, port_hash(&state->src, &state->dst))) count_increment(key->count, 1); free(state); }
static client_status_e update_client_status(client_t *client, dosdetector_dir_config *cfg, time_t now) { client_status_e status = NORMAL; count_increment(client, cfg->threshold); if(client->suspected > 0 && client->suspected + cfg->ban_period > now) { status = SUSPECTED; if(client->count > cfg->ban_threshold) { status = SUSPECTED_HARD; if(client->hard_suspected == 0) status = SUSPECTED_HARD_FIRST; client->hard_suspected = now; } } else { if(client->suspected > 0) { client->suspected = 0; client->hard_suspected = 0; client->count = 0; } if(client->count > cfg->threshold) { status = SUSPECTED_FIRST; client->suspected = now; } } return status; }
void count_print(FILE *fout, struct count *count, char *name) { /* Update the statistics */ count_increment(count, 0); count_internal_print(fout, count, name); }
void analyze_spammer_enter(const struct addr *src, uint32_t bytes) { struct keycount tmpkey, *key; tmpkey.key = &src->addr_ip; tmpkey.keylen = sizeof(src->addr_ip); if ((key = SPLAY_FIND(kctree, &spammers, &tmpkey)) == NULL) { key = keycount_new(&src->addr_ip, sizeof(src->addr_ip), NULL, NULL); SPLAY_INSERT(kctree, &spammers, key); } count_increment(key->count, bytes); }
void analyze_os_enter(const struct addr *addr, const char *osfp) { struct keycount tmpkey, *key; tmpkey.key = osfp; tmpkey.keylen = strlen(osfp) + 1; if ((key = SPLAY_FIND(kctree, &oses, &tmpkey)) == NULL) { key = keycount_new(osfp, strlen(osfp) + 1, aux_create, aux_free); SPLAY_INSERT(kctree, &oses, key); } /* If the address is new, we are going to increase the counter */ if (aux_enter(key->auxilary, addr->addr_ip)) count_increment(key->count, 1); }
void analyze_port_enter(uint16_t port, const struct addr *src, const struct addr *dst) { struct keycount tmpkey, *key; tmpkey.key = &port; tmpkey.keylen = sizeof(port); if ((key = SPLAY_FIND(kctree, &ports, &tmpkey)) == NULL) { key = keycount_new(&port, sizeof(port), aux_create, aux_free); SPLAY_INSERT(kctree, &ports, key); } /* If the address is new, we are going to increase the counter */ if (aux_enter(key->auxilary, port_hash(src, dst))) count_increment(key->count, 1); }
uint32_t count_get_day(struct count *count) { count_increment(count, 0); return (count_get_sum(&count->hours)); }
uint32_t count_get_hour(struct count *count) { count_increment(count, 0); return (count_get_sum(&count->minutes)); }
uint32_t count_get_minute(struct count *count) { count_increment(count, 0); return (count_get_sum(&count->seconds)); }
void WorkerSemaphore::notify() { count_increment(); m_cond.notify_one(); }
static int dosdetector_handler(request_rec *r) { //DEBUGLOG("dosdetector_handler is called"); dosdetector_dir_config *cfg = (dosdetector_dir_config *) ap_get_module_config(r->per_dir_config, &dosdetector_module); if(cfg->detection) return DECLINED; if (!ap_is_initial_req(r)) return DECLINED; //char **ignore_contenttype = (char **) cfg->ignore_contenttype->elts; const char *content_type; const char *address_tmp; const char *address = NULL; int i; content_type = ap_sub_req_lookup_uri(r->uri, r, NULL)->content_type; if (!content_type) { #if (AP_SERVER_MINORVERSION_NUMBER > 2) content_type = DefaultContentType; #else content_type = ap_default_type(r); #endif } if (cfg->forwarded){ if ((address_tmp = apr_table_get(r->headers_in, "X-Forwarded-For")) != NULL){ const char *i = address_tmp; while(*i != 0 && *i != ',') i++; address = apr_pstrndup(r->pool, address_tmp, i - address_tmp); } } if (address == NULL) { #if (AP_SERVER_MINORVERSION_NUMBER > 2) address = r->connection->client_ip; #else address = r->connection->remote_ip; #endif } ap_regmatch_t regmatch[AP_MAX_REG_MATCH]; ap_regex_t **contenttype_regexp = (ap_regex_t **) cfg->contenttype_regexp->elts; for (i = 0; i < cfg->contenttype_regexp->nelts; i++) { if(!ap_regexec(contenttype_regexp[i], content_type, AP_MAX_REG_MATCH, regmatch, 0)){ //ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, 0, "ignoring content-type: %s", content_type); return OK; } } DEBUGLOG("dosdetector: processing content-type: %s", content_type); struct in_addr addr; if(!cfg->forwarded) { #if (AP_SERVER_MINORVERSION_NUMBER > 2) addr = r->connection->client_addr->sa.sin.sin_addr; #else addr = r->connection->remote_addr->sa.sin.sin_addr; #endif } if(cfg->forwarded || addr.s_addr == 0){ if (inet_aton(address, &addr) == 0) { TRACELOG("dosdetector: '%s' is not a valid IP addresss", address); return DECLINED; } } if (lock) apr_global_mutex_lock(lock); client_t *client = get_client(client_list, addr, cfg->period); if (lock) apr_global_mutex_unlock(lock); #ifdef _DEBUG int last_count = client->count; #endif count_increment(client, cfg->threshold); DEBUGLOG("dosdetector: %s, count: %d -> %d, interval: %d", address, last_count, client->count, (int)client->interval); //DEBUGLOG("dosdetector: %s, count: %d -> %d, interval: %d on tid %d, pid %d", address, last_count, client->count, (int)client->interval, gettid(), getpid()); time_t now = time((time_t *)0); if(client->suspected > 0 && client->suspected + cfg->ban_period > now){ apr_table_setn(r->subprocess_env, "SuspectDoS", "1"); //apr_table_setn(r->notes, "SuspectDoS", "1"); DEBUGLOG("dosdetector: '%s' has been still suspected as DoS attack! (suspected %d sec ago)", address, now - client->suspected); if(client->count > cfg->ban_threshold){ if(client->hard_suspected == 0) TRACELOG("dosdetector: '%s' is suspected as Hard DoS attack! (counter: %d)", address, client->count); client->hard_suspected = now; apr_table_setn(r->subprocess_env, "SuspectHardDoS", "1"); //apr_table_setn(r->notes, "SuspectHardDoS", "1"); } } else { if(client->suspected > 0){ client->suspected = 0; client->hard_suspected = 0; client->count = 0; } //int last_count = client->count; //client->count = client->count - client->interval * cfg->threshold; //if(client->count < 0) // client->count = 0; //client->count ++; //DEBUGLOG("client address: %s, count: %d -> %d, interval: %d", address, last_count, client->count, client->interval); if(client->count > cfg->threshold){ client->suspected = now; apr_table_setn(r->subprocess_env, "SuspectDoS", "1"); //apr_table_setn(r->notes, "SuspectDoS", "1"); TRACELOG("dosdetector: '%s' is suspected as DoS attack! (counter: %d)", address, client->count); } } return DECLINED; }