Skip to content

Commit

Permalink
Move logic for checking if we should ban IP or not to separate function
Browse files Browse the repository at this point in the history
  • Loading branch information
pavel-odintsov committed Mar 13, 2015
1 parent 5338785 commit da62135
Showing 1 changed file with 34 additions and 21 deletions.
55 changes: 34 additions & 21 deletions fastnetmon.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -360,6 +360,7 @@ bool process_outgoing_traffic = true;
void block_all_traffic_with_82599_hardware_filtering(std::string client_ip_as_string);
#endif

bool we_should_ban_this_ip(map_element* current_average_speed_element);
std::string get_net_address_from_network_as_string(std::string network_cidr_format);
unsigned int get_max_used_protocol(uint64_t tcp, uint64_t udp, uint64_t icmp);
std::string get_printable_protocol_name(unsigned int protocol);
Expand Down Expand Up @@ -1546,6 +1547,9 @@ void recalculate_speed() {
current_average_speed_element->in_flows = uint64_t(new_speed_element.in_flows + exp_value *
((double)current_average_speed_element->in_flows - (double)new_speed_element.in_flows));

/* Moving average recalculation end */

// TODO: remove this useless variables!
uint64_t in_pps_average = current_average_speed_element->in_packets;
uint64_t out_pps_average = current_average_speed_element->out_packets;

Expand All @@ -1555,27 +1559,7 @@ void recalculate_speed() {
uint64_t in_flows_average = current_average_speed_element->in_flows;
uint64_t out_flows_average = current_average_speed_element->out_flows;

/* Moving average recalculation end */

// we detect overspeed by packets
bool attack_detected_by_pps = false;
bool attack_detected_by_bandwidth = false;
bool attack_detected_by_flow = false;

if (enable_ban_for_pps && (in_pps_average > ban_threshold_pps or out_pps_average > ban_threshold_pps)) {
attack_detected_by_pps = true;
}

// we detect overspeed by bandwidth
if (enable_ban_for_bandwidth && (convert_speed_to_mbps(in_bps_average) > ban_threshold_mbps or convert_speed_to_mbps(out_bps_average) > ban_threshold_mbps)) {
attack_detected_by_bandwidth = true;
}

if (enable_ban_for_flows_per_second && (in_flows_average > ban_threshold_flows or out_flows_average > ban_threshold_flows)) {
attack_detected_by_flow = true;
}

if (attack_detected_by_pps or attack_detected_by_bandwidth or attack_detected_by_flow) {
if (we_should_ban_this_ip(current_average_speed_element)) {
std::string flow_attack_details = "";

if (enable_conection_tracking) {
Expand Down Expand Up @@ -2738,4 +2722,33 @@ void print_attack_details_to_file(std::string details, std::string client_ip_as_
}
}

// Return true when we should ban this IP
bool we_should_ban_this_ip(map_element* current_average_speed_element) {
uint64_t in_pps_average = current_average_speed_element->in_packets;
uint64_t out_pps_average = current_average_speed_element->out_packets;

uint64_t in_bps_average = current_average_speed_element->in_bytes;
uint64_t out_bps_average = current_average_speed_element->out_bytes;

uint64_t in_flows_average = current_average_speed_element->in_flows;
uint64_t out_flows_average = current_average_speed_element->out_flows;

// we detect overspeed by packets
bool attack_detected_by_pps = false;
bool attack_detected_by_bandwidth = false;
bool attack_detected_by_flow = false;
if (enable_ban_for_pps && (in_pps_average > ban_threshold_pps or out_pps_average > ban_threshold_pps)) {
attack_detected_by_pps = true;
}

// we detect overspeed by bandwidth
if (enable_ban_for_bandwidth && (convert_speed_to_mbps(in_bps_average) > ban_threshold_mbps or convert_speed_to_mbps(out_bps_average) > ban_threshold_mbps)) {
attack_detected_by_bandwidth = true;
}

if (enable_ban_for_flows_per_second && (in_flows_average > ban_threshold_flows or out_flows_average > ban_threshold_flows)) {
attack_detected_by_flow = true;
}

return attack_detected_by_pps or attack_detected_by_bandwidth or attack_detected_by_flow;
}

0 comments on commit da62135

Please sign in to comment.