public async Task <IActionResult> Edit([FromBody] AttackEditParams data)
{
try
{
var attack = await _dnsDb.AttackGroups
.FirstOrDefaultAsync(x => x.Id == data.Id);
if (attack != null)
{
var prevStatus = attack.StatusEnum;
attack.Status = data.Status;
await _attackService.AddHistory(attack, prevStatus);
if (!data.Comment.IsBlank())
{
await _attackService.AddNote(attack, data.Comment);
}
await _dnsDb.SaveChangesAsync();
await _hubContext.Clients.All.SendAsync("UpdateAttack", _attackService.CastToViewModel(attack));
var attackMessage = await _notifyService.BuildAttackMessage(string.Empty, attack.Id);
await _redisService.Publish(RedisKeys.NOTIFY_SEND_CHANNEL, attackMessage.ProtoSerialize());
return(new JsonResult("Ok"));
}
}
catch (Exception ex)
{
_logger.LogError(ex, "");
}
return(new JsonResult(null));
}
public async Task AddNote(AttackGroups attackGroup, string text, bool commit = false)
{
attackGroup.Notes.Add(new AttackNotes
{
AttackGroup = attackGroup,
AttackGroupId = attackGroup.Id,
Date = DateTimeOffset.UtcNow,
Text = text.Trim()
});
if (commit)
{
await _dnsDb.SaveChangesAsync();
}
else
{
await Task.FromResult(0);
}
}
public async Task UpdateSuspectDomains(IEnumerable <ResolvedDomain> domains)
{
_dbContext.RemoveRange(_dbContext.SuspectDomains);
var newSuspects = domains.SelectMany(x => x.IPAddresses, (domain, ipaddress) => new SuspectDomains
{
Domain = domain.Name,
Ip = ipaddress
}).ToList();
for (int i = 0; i < newSuspects.Count; i++)
{
newSuspects[i].Id = i;
}
_dbContext.SuspectDomains.AddRange(newSuspects);
await _dbContext.SaveChangesAsync();
_logger.LogInformation($"Suspect domains ({newSuspects.Count}) updated");
}
public async Task UpdateIpInfo(bool onlyUnresolved)
{
_logger.LogInformation("Starting update ip information");
HashSet <string> ips = onlyUnresolved ?
await UnResolvedIps() :
_readOnlyDbContext.DnsAttacks.Select(x => x.Ip).Distinct().ToHashSet();
foreach (var ip in ips)
{
try
{
var info = GetInfo(ip);
if (info != null)
{
var prevInfo = await _dbContext.IpInfo.FirstOrDefaultAsync(x => x.Ip == info.Ip);
if (prevInfo == null)
{
prevInfo = new IpInfo {
Ip = info.Ip
};
_dbContext.IpInfo.Add(prevInfo);
}
prevInfo.Company = info.Company;
prevInfo.Country = info.Country;
if (info.Subnet != null && info.Subnet.Length < 19)
{
prevInfo.Subnet = info.Subnet;
}
}
}
catch (Exception ex)
{
_logger.LogWarning(ex, ip);
}
}
await _dbContext.SaveChangesAsync();
_logger.LogInformation("Completed update ip information");
}
public async Task <IEnumerable <int> > UpdateDnsAttacks(IEnumerable <DnsAttackModel> attacks)
{
var newAttacks = new List <Attacks>();
var ignoreAttacks = new List <Attacks>();
var storedAttacks = await _dbContext.DnsAttacks.Include(x => x.AttackGroup).ToListAsync();
var blockedIps = await _redis.GetStringSetMembers(RedisKeys.BLACK_IPS);
var blockedSubnets = await _redis.GetStringSetMembers(RedisKeys.BLACK_SUBNETS);
foreach (var recentAttack in attacks)
{
bool needNotify = false;
Attacks attack = null;
var groups = storedAttacks
.Where(x => x.WhiteDomain == recentAttack.WhiteDomain && x.BlackDomain == recentAttack.BlackDomain)
.Select(x => x.AttackGroup);
if (groups.Any())
{
var lastGroup = groups.OrderBy(x => x.Id).LastOrDefault();
if (lastGroup.StatusEnum == AttackGroupStatusEnum.Complete)
{
var group = CreateNewAttackGroup(recentAttack, blockedIps, blockedSubnets);
_dbContext.AttackGroups.Add(group);
lastGroup = group;
attack = lastGroup.Attacks.LastOrDefault();
needNotify = true;
}
else
{
attack = lastGroup.Attacks.FirstOrDefault(x => x.Ip == recentAttack.Ip);
if (attack != null)
{
if (attack.StatusEnum == AttackStatusEnum.Closing || attack.StatusEnum == AttackStatusEnum.Completed)
{
var prevStatus = (AttackStatusEnum)attack.Status;
attack.Status = (int)AttackStatusEnum.Intersection;
var history = AddNewAttackHistory(attack, prevStatus);
needNotify = true;
}
else
{
ignoreAttacks.Add(attack);
}
}
else
{
attack = AddNewAttack(recentAttack, lastGroup);
var history = AddNewAttackHistory(attack, AttackStatusEnum.None);
needNotify = true;
}
}
}
else
{
var group = CreateNewAttackGroup(recentAttack, blockedIps, blockedSubnets);
_dbContext.AttackGroups.Add(group);
attack = group.Attacks.LastOrDefault();
needNotify = true;
}
attack.IpBlocked = blockedIps.Any(x => x == recentAttack.Ip);
try
{
attack.SubnetBlocked = blockedSubnets
.Select(x => IPAddressRange.Parse(x))
.FirstOrDefault(x => x.Contains(IPAddress.Parse(recentAttack.Ip)))
?.ToCidrString();
}
catch (Exception ex)
{
_logger.LogWarning(ex, ex.Message);
}
await _dbContext.SaveChangesAsync();
if (needNotify)
{
newAttacks.Add(attack);
}
}
var treshholdCompleted = DateTimeOffset.UtcNow.AddDays(-1);
var newIds = newAttacks.Select(x => x.Id).ToList();
var ignoreIds = ignoreAttacks.Select(x => x.Id).ToList();
var allIds = storedAttacks.Select(x => x.Id).ToList();
var notUpdatedIds = allIds.Except(newIds).Except(ignoreIds).ToList();
var notUpdatedAttacks = storedAttacks.Where(x => notUpdatedIds.Contains(x.Id)).ToList();
foreach (var attack in notUpdatedAttacks)
{
if (attack.AttackGroup.StatusEnum != AttackGroupStatusEnum.Complete)
{
var status = attack.StatusEnum;
var history = _dbContext.AttackHistories.Where(x => x.AttackId == attack.Id).OrderBy(x => x.Id).LastOrDefault();
if (status == AttackStatusEnum.Intersection)
{
attack.Status = (int)AttackStatusEnum.Closing;
AddNewAttackHistory(attack, AttackStatusEnum.Intersection);
newAttacks.Add(attack);
}
else if (status == AttackStatusEnum.Closing)
{
if (history.Date < treshholdCompleted)
{
attack.Status = (int)AttackStatusEnum.Completed;
AddNewAttackHistory(attack, AttackStatusEnum.Closing);
newAttacks.Add(attack);
}
}
}
}
await _dbContext.SaveChangesAsync();
_logger.LogInformation("Update DNS Attacks complete");
return(newAttacks.Select(x => x.Id).AsEnumerable());
}