async Task DefendRequest(object sender, EventArgs e)
{
var context = ((HttpApplication)sender).Context;
HackerSprayer.Result result = await HackerSprayWebDefence.DefendURL(context);
if (result != HackerSprayer.Result.Allowed)
{
context.Response.StatusCode = (int)HttpStatusCode.NotAcceptable;
context.Response.StatusDescription = Enum.GetName(typeof(HackerSprayer.Result), result);
context.Response.End();
}
}
public static async Task <HackerSprayer.Result> DefendURL(HttpContext context)
{
HackerSprayer.Result result = HackerSprayer.Result.Allowed;
if (!Initialized)
{
lock (lockObject)
{
if (!Initialized)
{
Initialized = true;
HackerSprayer.Store = new RedisDefenceStore(HackerSprayConfig.Settings.Redis,
HackerSprayConfig.Settings.Prefix,
HackerSprayer.Config);
}
}
}
// This handles load balancers passing the original client IP
// through this header.
// WARNING: If your load balancer is not passing original client IP
// through this header, then you will be blocking your load balancer,
// causing a total outage. Also ensure this Header cannot be spoofed.
// Your load balancer should be configured in a way that it does not accept
// this header from the request, instead it always sets it itself.
var originIP = IPAddress.Parse(context.Request.Headers["X-Forward-For"]
?? context.Request.UserHostAddress).MapToIPv4();
foreach (var path in HackerSprayConfig.Settings.Paths)
{
if ((path.Post && context.Request.HttpMethod == "POST") ||
(!path.Post && context.Request.HttpMethod == "GET") &&
path.Name == context.Request.Path)
{
if (path.Mode == "perkey")
{
result = await HackerSprayer.DefendAsync(context.Request.Path, originIP,
path.Interval, path.MaxAttempts,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue);
}
else if (path.Mode == "perorigin")
{
result = await HackerSprayer.DefendAsync(context.Request.Path, originIP,
TimeSpan.MaxValue, long.MaxValue,
path.Interval, path.MaxAttempts,
TimeSpan.MaxValue, long.MaxValue);
}
else //(path.Mode == "perkeyorigin")
{
result = await HackerSprayer.DefendAsync(context.Request.Path, originIP,
TimeSpan.MaxValue, long.MaxValue,
TimeSpan.MaxValue, long.MaxValue,
path.Interval, path.MaxAttempts);
}
// Blacklist origin. After that, it becomes least expensive to block requests
if (result == HackerSprayer.Result.TooManyHitsFromOrigin)
{
await HackerSprayer.BlacklistOriginAsync(originIP, path.Interval);
}
else if (result == HackerSprayer.Result.TooManyHitsOnKey)
{
await HackerSprayer.BlacklistKeyAsync(path.Name, path.Interval);
}
//else if (result == HackerSprayer.Result.TooManyHitsOnKeyFromOrigin)
// There is nothing for that, because we neither want to block the key for all ip,
// nor do we want to block the ip for all key. It just has to be checked each
// and every time. Thus this is the most expensive check.
break;
}
}
return(result);
}
