You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
87 lines
2.6 KiB
87 lines
2.6 KiB
#!trydef ANTIFLOOD_RATE_WINDOW 2
|
|
#!trydef ANTIFLOOD_RATE_DENSITY 50
|
|
#!trydef ANTIFLOOD_RATE_EXPIRE 4
|
|
#!trydef ANTIFLOOD_FAILED_AUTH_WINDOW 300
|
|
#!trydef ANTIFLOOD_FAILED_AUTH_DENSITY 4
|
|
|
|
######## Flood Prevention Hash Tables ########
|
|
modparam("htable", "htable", "failed_auth_hash=>size=16;autoexpire=3600;")
|
|
|
|
######## Flood Prevention Module ########
|
|
loadmodule "pike.so"
|
|
modparam("pike", "sampling_time_unit", ANTIFLOOD_RATE_WINDOW)
|
|
modparam("pike", "reqs_density_per_unit", ANTIFLOOD_RATE_DENSITY)
|
|
modparam("pike", "remove_latency", ANTIFLOOD_RATE_EXPIRE)
|
|
|
|
|
|
route[ANTIFLOOD_RATE_LIMIT]
|
|
{
|
|
if (has_totag() || isflagset(FLAG_TRUSTED_SOURCE)) {
|
|
return;
|
|
}
|
|
|
|
# use pike to control the rates
|
|
if (!pike_check_req()) {
|
|
xlog("L_WARN", "$ci|end|dropping request from $fu due to rate of requests with source $si:$sp");
|
|
drop();
|
|
exit;
|
|
}
|
|
}
|
|
|
|
route[ANITFLOOD_AUTH_LIMIT]
|
|
{
|
|
if (isflagset(FLAG_TRUSTED_SOURCE)) {
|
|
return(1);
|
|
}
|
|
|
|
if ($Au != $null &&
|
|
$sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
|
|
) {
|
|
$var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
|
|
if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
|
|
xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
|
|
append_to_reply("Retry-After: 3600\r\n");
|
|
sl_send_reply("500", "Retry Later");
|
|
exit;
|
|
} else {
|
|
$sht(failed_auth_hash=>$Au::count) = 0;
|
|
}
|
|
}
|
|
}
|
|
|
|
route[ANTIFLOOD_SUCCESSFUL_AUTH]
|
|
{
|
|
if ($Au != $null && $sht(failed_auth_hash=>$Au::count) != $null) {
|
|
$sht(failed_auth_hash=>$Au::count) = $null;
|
|
}
|
|
|
|
if ($Au != $null && $sht(failed_auth_hash=>$Au::last) != $null) {
|
|
$sht(failed_auth_hash=>$Au::last) = $null;
|
|
}
|
|
}
|
|
|
|
route[ANITFLOOD_FAILED_AUTH]
|
|
{
|
|
if (isflagset(FLAG_TRUSTED_SOURCE)) {
|
|
return;
|
|
}
|
|
|
|
if($sht(failed_auth_hash=>$Au::count) == $null) {
|
|
$sht(failed_auth_hash=>$Au::count) = 0;
|
|
}
|
|
|
|
$sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1;
|
|
$sht(failed_auth_hash=>$Au::last) = $Ts;
|
|
|
|
xlog("L_INFO", "$ci|log|$sht(failed_auth_hash=>$Au::count) errounous authorization response for $Au $si:$sp");
|
|
|
|
if ($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) {
|
|
$var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
|
|
if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
|
|
xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
|
|
append_to_reply("Retry-After: 3600\r\n");
|
|
sl_send_reply("500", "Retry Later");
|
|
exit;
|
|
}
|
|
}
|
|
}
|