From 2e7a84b96857513ad916731b88f109cb25ccf97f Mon Sep 17 00:00:00 2001
From: "Matteo Nastasi (mop)" <nastasi@alternativeoutput.it>
Date: Sun, 1 Feb 2015 16:15:57 +0100
Subject: [PATCH] add cloud smasher countermeasure

---
 web/Obj/brisk.conf-templ.pho |  8 ++++++++
 web/Obj/brisk.phh            | 36 ++++++++++++++++++++++++++----------
 web/Obj/sac-a-push.phh       |  4 ++--
 web/index.php                |  7 +++++++
 web/spush/brisk-spush.php    |  4 ++--
 5 files changed, 45 insertions(+), 14 deletions(-)

diff --git a/web/Obj/brisk.conf-templ.pho b/web/Obj/brisk.conf-templ.pho
index 6854d6a..90a2dc1 100644
--- a/web/Obj/brisk.conf-templ.pho
+++ b/web/Obj/brisk.conf-templ.pho
@@ -1,4 +1,12 @@
 <?php
+
+if (file_exists("$DOCUMENT_ROOT/Etc/cloud_smasher.phh")) {
+    require_once("$DOCUMENT_ROOT/Etc/cloud_smasher.phh");
+}
+else {
+    $G_cloud_smasher = array();
+}
+
 if (file_exists("$DOCUMENT_ROOT/Etc/provider_proxy.phh")) {
     require_once("$DOCUMENT_ROOT/Etc/provider_proxy.phh");
 }
diff --git a/web/Obj/brisk.phh b/web/Obj/brisk.phh
index 62b80a7..e4dd67e 100644
--- a/web/Obj/brisk.phh
+++ b/web/Obj/brisk.phh
@@ -1039,8 +1039,9 @@ class Brisk
     var $garbage_timeout;
     var $shm_sz;
 
-    var $ban_list;  // ban list (authized allowed)
-    var $black_list;  // black list (anti-dos, noone allowed)
+    var $ban_list;       // ban list (authized allowed)
+    var $black_list;     // black list (anti-dos, noone allowed)
+    var $cloud_smasher;  // list of cloud ip ranges to be rejected
     var $provider_proxy; // list of provider/browser that offer proxy service
     var $ghost_sess;
     var $delay_mgr;
@@ -1055,13 +1056,13 @@ class Brisk
     }
 
     // constructor
-    static function create($crystal_filename, $ban_list, $black_list, $prov_proxy) {
+    static function create($crystal_filename, $ban_list, $black_list, $cloud_smasher, $prov_proxy) {
         if (($brisk_ser = @file_get_contents($crystal_filename)) != FALSE) {
             if (($brisk = unserialize($brisk_ser)) != FALSE) {
                 fprintf(STDERR, "ROOM FROM FILE\n");
                 rename($crystal_filename, $crystal_filename.".old");
 
-                $brisk->reload(TRUE, $ban_list, $black_list, $prov_proxy);
+                $brisk->reload(TRUE, $ban_list, $black_list, $cloud_smasher, $prov_proxy);
 
                 return($brisk);
             }
@@ -1077,6 +1078,7 @@ class Brisk
 
         $thiz->ban_list = IpClass::create();
         $thiz->black_list = IpClass::create();
+        $thiz->cloud_smasher = IpClass::create();
         $thiz->provider_proxy = ProviderProxy::create();
         $thiz->ghost_sess = new GhostSess();
 
@@ -1094,14 +1096,15 @@ class Brisk
 
         static::$sess_cur = FALSE;
 
-        $thiz->reload(TRUE, $ban_list, $black_list, $prov_proxy);
+        $thiz->reload(TRUE, $ban_list, $black_list, $cloud_smasher, $prov_proxy);
 
         return ($thiz);
     }
 
-    function reload($is_first, $ban_list, $black_list, $prov_proxy)
+    function reload($is_first, $ban_list, $black_list, $cloud_smasher, $prov_proxy)
     {
-        fprintf(STDERR, "RELOAD STUFF (%d)(%d)(%d)\n", count($ban_list), count($black_list), count($prov_proxy));
+        fprintf(STDERR, "RELOAD STUFF (%d)(%d)(%d)(%d)\n",
+                count($ban_list), count($black_list), count($cloud_smasher), count($prov_proxy));
 
         if (defined('CURL_DE_SAC_VERS')) {
             if (brisk_cds_reload($this) == FALSE) {
@@ -1110,6 +1113,7 @@ class Brisk
         }
         $this->ban_list->update($ban_list);
         $this->black_list->update($black_list);
+        $this->cloud_smasher->update($cloud_smasher);
         $this->provider_proxy->update($prov_proxy);
 
         if (!$is_first) {
@@ -1145,7 +1149,8 @@ class Brisk
                 continue;
 
             // check if the IP is blacklisted
-            if ($this->black_check($user_cur->ip)) {
+            if ($this->black_check($user_cur->ip) ||
+                $this->cloud_check($user_cur->ip)) {
                 $user_cur->lacc = 0;
                 $is_ban = TRUE;
                 continue;
@@ -1175,6 +1180,11 @@ class Brisk
         return ($this->black_list->check($ip_str));
     }
 
+    function cloud_check($ip_str)
+    {
+        return ($this->cloud_smasher->check($ip_str));
+    }
+
     function pproxy_realip($header, $ip_str)
     {
         return ($this->provider_proxy->realip($header, $ip_str));
@@ -2614,18 +2624,24 @@ class Brisk
 
   function request_mgr(&$s_a_p, $header, &$header_out, &$new_socket, $path, $addr, $get, $post, $cookie)
   {
-      GLOBAL $G_ban_list, $G_black_list, $G_provider_proxy;
+      GLOBAL $G_ban_list, $G_black_list, $G_cloud_smasher, $G_provider_proxy;
 
       printf("NEW_SOCKET (root): %d PATH [%s]\n", intval($new_socket), $path);
       // $remote_addr = addrtoipv4($addr);
       $remote_addr = $this->pproxy_realip($header, addrtoipv4($addr));
 
-      fprintf(STDERR, "\n\n\n PRE_BLACK_CHECK \n\n\n");
+      fprintf(STDERR, "\n\n\n PRE_BLACK [%s]\n\n\n", $remote_addr);
       if ($this->black_check($remote_addr)) {
           // TODO: waiting async 5 sec before close
           fprintf(STDERR, "\n\n\n BLACK CHECK\n\n\n");
           return (FALSE);
       }
+      if ($path != "" && $path != "index.php") {
+          if ($this->cloud_check($remote_addr)) {
+              // TODO: waiting async 5 sec before close
+              return (FALSE);
+          }
+      }
 
       $enc = get_encoding($header);
       if (isset($header['User-Agent'])) {
diff --git a/web/Obj/sac-a-push.phh b/web/Obj/sac-a-push.phh
index fdf5541..240a48a 100644
--- a/web/Obj/sac-a-push.phh
+++ b/web/Obj/sac-a-push.phh
@@ -623,7 +623,7 @@ class Sac_a_push {
     {
         GLOBAL $DOCUMENT_ROOT, $HTTP_HOST;
 
-        GLOBAL $G_alarm_passwd, $G_ban_list, $G_black_list, $G_provider_proxy;
+        GLOBAL $G_alarm_passwd, $G_ban_list, $G_black_list, $G_cloud_smasher, $G_provider_proxy;
         GLOBAL $G_btrace_pref_sub, $G_dbauth;
         GLOBAL $G_dbpfx, $G_donors_all, $G_donors_cur, $G_is_local, $G_lang;
         GLOBAL $G_poll_entries, $G_poll_name, $G_poll_title, $G_proxy_white_list;
@@ -801,7 +801,7 @@ class Sac_a_push {
                                 if ($line == "reload") {
                                     require("$DOCUMENT_ROOT/Etc/".BRISK_CONF);
                                     $this->app->reload(FALSE, $G_ban_list, $G_black_list,
-                                                       $G_provider_proxy);
+                                                       $G_cloud_smasher, $G_provider_proxy);
                                     global_dump();
                                 }
                                 else if ($line == "shutdown" || $line == "sd") {
diff --git a/web/index.php b/web/index.php
index c2c4be1..437f454 100644
--- a/web/index.php
+++ b/web/index.php
@@ -377,6 +377,13 @@ function index_main(&$brisk, $transp_type, $header, &$header_out, $remote_addr_f
                 break;
             }
         }
+        if ($brisk->cloud_check($remote_addr)) {
+            // TODO: find a way to add a nonblocking sleep(5) here
+            $banned = TRUE;
+            $last_msg = $mlang_room['reas_cloud'][$G_lang];
+        }
+
+
         if (validate_sess($sess)) {
             log_main("pre garbage_manager UNO");
             $brisk->garbage_manager(TRUE);
diff --git a/web/spush/brisk-spush.php b/web/spush/brisk-spush.php
index 3a43b19..93957c8 100755
--- a/web/spush/brisk-spush.php
+++ b/web/spush/brisk-spush.php
@@ -42,11 +42,11 @@ require_once($G_base."briskin5/index_wr.php");
 
 function main($argv)
 {
-    GLOBAL $G_ban_list, $G_black_list, $G_provider_proxy;
+    GLOBAL $G_ban_list, $G_black_list, $G_cloud_smasher, $G_provider_proxy;
 
     pid_save();
     do {
-        if (($brisk = Brisk::create(LEGAL_PATH."/brisk-crystal.data", $G_ban_list, $G_black_list, $G_provider_proxy)) == FALSE) {
+        if (($brisk = Brisk::create(LEGAL_PATH."/brisk-crystal.data", $G_ban_list, $G_black_list, $G_cloud_smasher, $G_provider_proxy)) == FALSE) {
             log_crit("Brisk::create failed");
             $ret = 1;
             break;
-- 
2.17.1