#!trydef ANTIFLOOD_RATE_WINDOW 2 #!trydef ANTIFLOOD_RATE_DENSITY 50 #!trydef ANTIFLOOD_RATE_EXPIRE 4 #!trydef ANTIFLOOD_FAILED_AUTH_WINDOW 120 #!trydef ANTIFLOOD_FAILED_AUTH_DENSITY 3 ######## Flood Prevention Hash Tables ######## modparam("htable", "htable", "ipban=>size=8;autoexpire=300;") modparam("htable", "htable", "failed_auth_hash=>size=8;autoexpire=125;") ######## Flood Prevention Module ######## loadmodule "pike.so" modparam("pike", "sampling_time_unit", ANTIFLOOD_RATE_WINDOW) modparam("pike", "reqs_density_per_unit", ANTIFLOOD_RATE_DENSITY) modparam("pike", "remove_latency", ANTIFLOOD_RATE_EXPIRE) route[ANTIFLOOD_RATE_LIMIT] { xlog("$ci|log|maybe allow $si:$sp"); if (has_totag() || isflagset(FLAG_TRUSTED_SOURCE)) { return; } if($sht(ipban=>$si)!=$null) { # ip is already blocked xlog("$ci|log|dropping $rm request from $fu with banned IP $si:$sp"); drop(); exit; } # use pike to control the rates if (!pike_check_req()) { xlog("L_WARN", "$ci|log|pike dropping $rm from $fu due to rate of requests with source $si:$sp"); $sht(ipban=>$si) = 1; drop(); exit; } } route[ANITFLOOD_AUTH_LIMIT] { if (isflagset(FLAG_TRUSTED_SOURCE)) { return(1); } if($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW; if($sht(failed_auth_hash=>$Au::last) > $var(exp)){ $sht(failed_auth_hash=>$Au::last) = $Ts; xlog("L_WARN", "$ci|log|ignoring erroneous endpoint registrations from $ct for $Au"); return(-1); } else { $sht(failed_auth_hash=>$Au::count) = 0; } } return(1); } route[ANITFLOOD_FAILED_AUTH] { if (isflagset(FLAG_TRUSTED_SOURCE)) { return; } if($sht(failed_auth_hash=>$Au::count) == $null) { $sht(failed_auth_hash=>$Au::count) = 0; } $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1; $sht(failed_auth_hash=>$Au::last) = $Ts; }