From: Matteo Nastasi (mop) Date: Sun, 1 Feb 2015 15:15:57 +0000 (+0100) Subject: add cloud smasher countermeasure X-Git-Tag: v4.18.0~1 X-Git-Url: http://mop.ddnsfree.com/gitweb/?a=commitdiff_plain;h=2e7a84b96857513ad916731b88f109cb25ccf97f;p=brisk.git add cloud smasher countermeasure --- diff --git a/web/Obj/brisk.conf-templ.pho b/web/Obj/brisk.conf-templ.pho index 6854d6a..90a2dc1 100644 --- a/web/Obj/brisk.conf-templ.pho +++ b/web/Obj/brisk.conf-templ.pho @@ -1,4 +1,12 @@ reload(TRUE, $ban_list, $black_list, $prov_proxy); + $brisk->reload(TRUE, $ban_list, $black_list, $cloud_smasher, $prov_proxy); return($brisk); } @@ -1077,6 +1078,7 @@ class Brisk $thiz->ban_list = IpClass::create(); $thiz->black_list = IpClass::create(); + $thiz->cloud_smasher = IpClass::create(); $thiz->provider_proxy = ProviderProxy::create(); $thiz->ghost_sess = new GhostSess(); @@ -1094,14 +1096,15 @@ class Brisk static::$sess_cur = FALSE; - $thiz->reload(TRUE, $ban_list, $black_list, $prov_proxy); + $thiz->reload(TRUE, $ban_list, $black_list, $cloud_smasher, $prov_proxy); return ($thiz); } - function reload($is_first, $ban_list, $black_list, $prov_proxy) + function reload($is_first, $ban_list, $black_list, $cloud_smasher, $prov_proxy) { - fprintf(STDERR, "RELOAD STUFF (%d)(%d)(%d)\n", count($ban_list), count($black_list), count($prov_proxy)); + fprintf(STDERR, "RELOAD STUFF (%d)(%d)(%d)(%d)\n", + count($ban_list), count($black_list), count($cloud_smasher), count($prov_proxy)); if (defined('CURL_DE_SAC_VERS')) { if (brisk_cds_reload($this) == FALSE) { @@ -1110,6 +1113,7 @@ class Brisk } $this->ban_list->update($ban_list); $this->black_list->update($black_list); + $this->cloud_smasher->update($cloud_smasher); $this->provider_proxy->update($prov_proxy); if (!$is_first) { @@ -1145,7 +1149,8 @@ class Brisk continue; // check if the IP is blacklisted - if ($this->black_check($user_cur->ip)) { + if ($this->black_check($user_cur->ip) || + $this->cloud_check($user_cur->ip)) { $user_cur->lacc = 0; $is_ban = TRUE; continue; @@ -1175,6 +1180,11 @@ class Brisk return ($this->black_list->check($ip_str)); } + function cloud_check($ip_str) + { + return ($this->cloud_smasher->check($ip_str)); + } + function pproxy_realip($header, $ip_str) { return ($this->provider_proxy->realip($header, $ip_str)); @@ -2614,18 +2624,24 @@ class Brisk function request_mgr(&$s_a_p, $header, &$header_out, &$new_socket, $path, $addr, $get, $post, $cookie) { - GLOBAL $G_ban_list, $G_black_list, $G_provider_proxy; + GLOBAL $G_ban_list, $G_black_list, $G_cloud_smasher, $G_provider_proxy; printf("NEW_SOCKET (root): %d PATH [%s]\n", intval($new_socket), $path); // $remote_addr = addrtoipv4($addr); $remote_addr = $this->pproxy_realip($header, addrtoipv4($addr)); - fprintf(STDERR, "\n\n\n PRE_BLACK_CHECK \n\n\n"); + fprintf(STDERR, "\n\n\n PRE_BLACK [%s]\n\n\n", $remote_addr); if ($this->black_check($remote_addr)) { // TODO: waiting async 5 sec before close fprintf(STDERR, "\n\n\n BLACK CHECK\n\n\n"); return (FALSE); } + if ($path != "" && $path != "index.php") { + if ($this->cloud_check($remote_addr)) { + // TODO: waiting async 5 sec before close + return (FALSE); + } + } $enc = get_encoding($header); if (isset($header['User-Agent'])) { diff --git a/web/Obj/sac-a-push.phh b/web/Obj/sac-a-push.phh index fdf5541..240a48a 100644 --- a/web/Obj/sac-a-push.phh +++ b/web/Obj/sac-a-push.phh @@ -623,7 +623,7 @@ class Sac_a_push { { GLOBAL $DOCUMENT_ROOT, $HTTP_HOST; - GLOBAL $G_alarm_passwd, $G_ban_list, $G_black_list, $G_provider_proxy; + GLOBAL $G_alarm_passwd, $G_ban_list, $G_black_list, $G_cloud_smasher, $G_provider_proxy; GLOBAL $G_btrace_pref_sub, $G_dbauth; GLOBAL $G_dbpfx, $G_donors_all, $G_donors_cur, $G_is_local, $G_lang; GLOBAL $G_poll_entries, $G_poll_name, $G_poll_title, $G_proxy_white_list; @@ -801,7 +801,7 @@ class Sac_a_push { if ($line == "reload") { require("$DOCUMENT_ROOT/Etc/".BRISK_CONF); $this->app->reload(FALSE, $G_ban_list, $G_black_list, - $G_provider_proxy); + $G_cloud_smasher, $G_provider_proxy); global_dump(); } else if ($line == "shutdown" || $line == "sd") { diff --git a/web/index.php b/web/index.php index c2c4be1..437f454 100644 --- a/web/index.php +++ b/web/index.php @@ -377,6 +377,13 @@ function index_main(&$brisk, $transp_type, $header, &$header_out, $remote_addr_f break; } } + if ($brisk->cloud_check($remote_addr)) { + // TODO: find a way to add a nonblocking sleep(5) here + $banned = TRUE; + $last_msg = $mlang_room['reas_cloud'][$G_lang]; + } + + if (validate_sess($sess)) { log_main("pre garbage_manager UNO"); $brisk->garbage_manager(TRUE); diff --git a/web/spush/brisk-spush.php b/web/spush/brisk-spush.php index 3a43b19..93957c8 100755 --- a/web/spush/brisk-spush.php +++ b/web/spush/brisk-spush.php @@ -42,11 +42,11 @@ require_once($G_base."briskin5/index_wr.php"); function main($argv) { - GLOBAL $G_ban_list, $G_black_list, $G_provider_proxy; + GLOBAL $G_ban_list, $G_black_list, $G_cloud_smasher, $G_provider_proxy; pid_save(); do { - if (($brisk = Brisk::create(LEGAL_PATH."/brisk-crystal.data", $G_ban_list, $G_black_list, $G_provider_proxy)) == FALSE) { + if (($brisk = Brisk::create(LEGAL_PATH."/brisk-crystal.data", $G_ban_list, $G_black_list, $G_cloud_smasher, $G_provider_proxy)) == FALSE) { log_crit("Brisk::create failed"); $ret = 1; break;