void
analyze_country_enter_cb(int result, char type, int count, int ttl,
void *addresses, void *arg)
{
struct country_state *state = arg;
struct addr *src = &state->src;
struct keycount tmpkey, *key;
char tld[20];
if (result != DNS_ERR_NONE || count != 1 || type != DNS_PTR) {
/* Enter into our negative cache */
if (!state->result_from_cache) {
tmpkey.key = &src->addr_ip;
tmpkey.keylen = sizeof(src->addr_ip);
key = SPLAY_FIND(kctree, &country_cache, &tmpkey);
if (!key) {
key = keycount_new(
&src->addr_ip,
sizeof(src->addr_ip),
NULL, NULL);
SPLAY_INSERT(kctree, &country_cache, key);
}
count_increment(key->count, 1);
}
strlcpy(tld, "unknown", sizeof(tld));
} else {
const char *hostname = *(char **)addresses;
int i;
/* Extract the country key */
for (i = strlen(hostname) - 1; i >= 0; --i) {
if (hostname[i] == '.') {
i += 1;
break;
}
}
strlcpy(tld, hostname + i, sizeof(tld));
for (i = 0; i < strlen(tld); i++) {
if (isdigit(tld[i])) {
strlcpy(tld, "unknown", sizeof(tld));
break;
}
tld[i] = tolower(tld[i]);
}
}
tmpkey.key = tld;
tmpkey.keylen = strlen(tmpkey.key) + 1;
if ((key = SPLAY_FIND(kctree, &countries, &tmpkey)) == NULL) {
key = keycount_new(tld, strlen(tld) + 1, aux_create, aux_free);
SPLAY_INSERT(kctree, &countries, key);
}
/* If the address is new, we are going to resolve it */
if (aux_enter(key->auxilary, port_hash(&state->src, &state->dst)))
count_increment(key->count, 1);
free(state);
}
static client_status_e update_client_status(client_t *client, dosdetector_dir_config *cfg, time_t now)
{
client_status_e status = NORMAL;
count_increment(client, cfg->threshold);
if(client->suspected > 0 && client->suspected + cfg->ban_period > now) {
status = SUSPECTED;
if(client->count > cfg->ban_threshold) {
status = SUSPECTED_HARD;
if(client->hard_suspected == 0) status = SUSPECTED_HARD_FIRST;
client->hard_suspected = now;
}
} else {
if(client->suspected > 0) {
client->suspected = 0;
client->hard_suspected = 0;
client->count = 0;
}
if(client->count > cfg->threshold) {
status = SUSPECTED_FIRST;
client->suspected = now;
}
}
return status;
}
void
count_print(FILE *fout, struct count *count, char *name)
{
/* Update the statistics */
count_increment(count, 0);
count_internal_print(fout, count, name);
}
void
analyze_spammer_enter(const struct addr *src, uint32_t bytes)
{
struct keycount tmpkey, *key;
tmpkey.key = &src->addr_ip;
tmpkey.keylen = sizeof(src->addr_ip);
if ((key = SPLAY_FIND(kctree, &spammers, &tmpkey)) == NULL) {
key = keycount_new(&src->addr_ip, sizeof(src->addr_ip),
NULL, NULL);
SPLAY_INSERT(kctree, &spammers, key);
}
count_increment(key->count, bytes);
}
void
analyze_os_enter(const struct addr *addr, const char *osfp)
{
struct keycount tmpkey, *key;
tmpkey.key = osfp;
tmpkey.keylen = strlen(osfp) + 1;
if ((key = SPLAY_FIND(kctree, &oses, &tmpkey)) == NULL) {
key = keycount_new(osfp, strlen(osfp) + 1,
aux_create, aux_free);
SPLAY_INSERT(kctree, &oses, key);
}
/* If the address is new, we are going to increase the counter */
if (aux_enter(key->auxilary, addr->addr_ip))
count_increment(key->count, 1);
}
void
analyze_port_enter(uint16_t port,
const struct addr *src, const struct addr *dst)
{
struct keycount tmpkey, *key;
tmpkey.key = &port;
tmpkey.keylen = sizeof(port);
if ((key = SPLAY_FIND(kctree, &ports, &tmpkey)) == NULL) {
key = keycount_new(&port, sizeof(port),
aux_create, aux_free);
SPLAY_INSERT(kctree, &ports, key);
}
/* If the address is new, we are going to increase the counter */
if (aux_enter(key->auxilary, port_hash(src, dst)))
count_increment(key->count, 1);
}
uint32_t
count_get_day(struct count *count)
{
count_increment(count, 0);
return (count_get_sum(&count->hours));
}
uint32_t
count_get_hour(struct count *count)
{
count_increment(count, 0);
return (count_get_sum(&count->minutes));
}
uint32_t
count_get_minute(struct count *count)
{
count_increment(count, 0);
return (count_get_sum(&count->seconds));
}
void WorkerSemaphore::notify()
{
count_increment();
m_cond.notify_one();
}
static int dosdetector_handler(request_rec *r)
{
//DEBUGLOG("dosdetector_handler is called");
dosdetector_dir_config *cfg = (dosdetector_dir_config *) ap_get_module_config(r->per_dir_config, &dosdetector_module);
if(cfg->detection) return DECLINED;
if (!ap_is_initial_req(r)) return DECLINED;
//char **ignore_contenttype = (char **) cfg->ignore_contenttype->elts;
const char *content_type;
const char *address_tmp;
const char *address = NULL;
int i;
content_type = ap_sub_req_lookup_uri(r->uri, r, NULL)->content_type;
if (!content_type) {
#if (AP_SERVER_MINORVERSION_NUMBER > 2)
content_type = DefaultContentType;
#else
content_type = ap_default_type(r);
#endif
}
if (cfg->forwarded){
if ((address_tmp = apr_table_get(r->headers_in, "X-Forwarded-For")) != NULL){
const char *i = address_tmp;
while(*i != 0 && *i != ',')
i++;
address = apr_pstrndup(r->pool, address_tmp, i - address_tmp);
}
}
if (address == NULL) {
#if (AP_SERVER_MINORVERSION_NUMBER > 2)
address = r->connection->client_ip;
#else
address = r->connection->remote_ip;
#endif
}
ap_regmatch_t regmatch[AP_MAX_REG_MATCH];
ap_regex_t **contenttype_regexp = (ap_regex_t **) cfg->contenttype_regexp->elts;
for (i = 0; i < cfg->contenttype_regexp->nelts; i++) {
if(!ap_regexec(contenttype_regexp[i], content_type, AP_MAX_REG_MATCH, regmatch, 0)){
//ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, 0, "ignoring content-type: %s", content_type);
return OK;
}
}
DEBUGLOG("dosdetector: processing content-type: %s", content_type);
struct in_addr addr;
if(!cfg->forwarded) {
#if (AP_SERVER_MINORVERSION_NUMBER > 2)
addr = r->connection->client_addr->sa.sin.sin_addr;
#else
addr = r->connection->remote_addr->sa.sin.sin_addr;
#endif
}
if(cfg->forwarded || addr.s_addr == 0){
if (inet_aton(address, &addr) == 0) {
TRACELOG("dosdetector: '%s' is not a valid IP addresss", address);
return DECLINED;
}
}
if (lock) apr_global_mutex_lock(lock);
client_t *client = get_client(client_list, addr, cfg->period);
if (lock) apr_global_mutex_unlock(lock);
#ifdef _DEBUG
int last_count = client->count;
#endif
count_increment(client, cfg->threshold);
DEBUGLOG("dosdetector: %s, count: %d -> %d, interval: %d", address, last_count, client->count, (int)client->interval);
//DEBUGLOG("dosdetector: %s, count: %d -> %d, interval: %d on tid %d, pid %d", address, last_count, client->count, (int)client->interval, gettid(), getpid());
time_t now = time((time_t *)0);
if(client->suspected > 0 && client->suspected + cfg->ban_period > now){
apr_table_setn(r->subprocess_env, "SuspectDoS", "1");
//apr_table_setn(r->notes, "SuspectDoS", "1");
DEBUGLOG("dosdetector: '%s' has been still suspected as DoS attack! (suspected %d sec ago)", address, now - client->suspected);
if(client->count > cfg->ban_threshold){
if(client->hard_suspected == 0)
TRACELOG("dosdetector: '%s' is suspected as Hard DoS attack! (counter: %d)", address, client->count);
client->hard_suspected = now;
apr_table_setn(r->subprocess_env, "SuspectHardDoS", "1");
//apr_table_setn(r->notes, "SuspectHardDoS", "1");
}
} else {
if(client->suspected > 0){
client->suspected = 0;
client->hard_suspected = 0;
client->count = 0;
}
//int last_count = client->count;
//client->count = client->count - client->interval * cfg->threshold;
//if(client->count < 0)
// client->count = 0;
//client->count ++;
//DEBUGLOG("client address: %s, count: %d -> %d, interval: %d", address, last_count, client->count, client->interval);
if(client->count > cfg->threshold){
client->suspected = now;
apr_table_setn(r->subprocess_env, "SuspectDoS", "1");
//apr_table_setn(r->notes, "SuspectDoS", "1");
TRACELOG("dosdetector: '%s' is suspected as DoS attack! (counter: %d)", address, client->count);
}
}
return DECLINED;
}
