实现自动SYN Flood防护

2026-03-18 17:15:37 +08:00 · 2022-01-10 19:54:10 +08:00
parent 1e718021db
commit fc4e02c82d
13 changed files with 99 additions and 19 deletions
--- a/internal/waf/action_block.go
+++ b/internal/waf/action_block.go
@@ -64,7 +64,7 @@ func (this *BlockAction) Perform(waf *WAF, group *RuleGroup, set *RuleSet, reque
 		timeout = 60 // 默认封锁60秒
 	}

-	SharedIPBlackList.RecordIP(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+int64(timeout), waf.Id, waf.UseLocalFirewall, group.Id, set.Id)
+	SharedIPBlackList.RecordIP(IPTypeAll, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+int64(timeout), waf.Id, waf.UseLocalFirewall, group.Id, set.Id, "")

 	if writer != nil {
 		// close the connection
--- a/internal/waf/action_post_307.go
+++ b/internal/waf/action_post_307.go
@@ -56,7 +56,7 @@ func (this *Post307Action) Perform(waf *WAF, group *RuleGroup, set *RuleSet, req
 				life = 600 // 默认10分钟
 			}
 			var setId = m.GetString("setId")
-			SharedIPWhiteList.RecordIP("set:"+setId, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+life, m.GetInt64("policyId"), false, m.GetInt64("groupId"), m.GetInt64("setId"))
+			SharedIPWhiteList.RecordIP("set:"+setId, this.Scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+life, m.GetInt64("policyId"), false, m.GetInt64("groupId"), m.GetInt64("setId"), "")
 			return true
 		}
 	}
--- a/internal/waf/action_record_ip.go
+++ b/internal/waf/action_record_ip.go
@@ -22,6 +22,8 @@ type recordIPTask struct {
 	level     string
 	serverId  int64

+	reason string
+
 	sourceServerId                int64
 	sourceHTTPFirewallPolicyId    int64
 	sourceHTTPFirewallRuleGroupId int64
@@ -44,12 +46,16 @@ func init() {
 				if strings.Contains(task.ip, ":") {
 					ipType = "ipv6"
 				}
+				var reason = task.reason
+				if len(reason) == 0 {
+					reason = "触发WAF规则自动加入"
+				}
 				_, err = rpcClient.IPItemRPC().CreateIPItem(rpcClient.Context(), &pb.CreateIPItemRequest{
 					IpListId:                      task.listId,
 					IpFrom:                        task.ip,
 					IpTo:                          "",
 					ExpiredAt:                     task.expiredAt,
-					Reason:                        "触发WAF规则自动加入",
+					Reason:                        reason,
 					Type:                          ipType,
 					EventLevel:                    task.level,
 					ServerId:                      task.serverId,
--- a/internal/waf/captcha_validator.go
+++ b/internal/waf/captcha_validator.go
@@ -153,7 +153,7 @@ func (this *CaptchaValidator) validate(actionConfig *CaptchaAction, policyId int
 			}

 			// 加入到白名单
-			SharedIPWhiteList.RecordIP("set:"+strconv.FormatInt(setId, 10), actionConfig.Scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+int64(life), policyId, false, groupId, setId)
+			SharedIPWhiteList.RecordIP("set:"+strconv.FormatInt(setId, 10), actionConfig.Scope, request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+int64(life), policyId, false, groupId, setId, "")

 			http.Redirect(writer, request.WAFRaw(), originURL, http.StatusSeeOther)

--- a/internal/waf/get302_validator.go
+++ b/internal/waf/get302_validator.go
@@ -44,7 +44,7 @@ func (this *Get302Validator) Run(request requests.Request, writer http.ResponseW
 		life = 600 // 默认10分钟
 	}
 	setId := m.GetString("setId")
-	SharedIPWhiteList.RecordIP("set:"+setId, m.GetString("scope"), request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+life, m.GetInt64("policyId"), false, m.GetInt64("groupId"), m.GetInt64("setId"))
+	SharedIPWhiteList.RecordIP("set:"+setId, m.GetString("scope"), request.WAFServerId(), request.WAFRemoteIP(), time.Now().Unix()+life, m.GetInt64("policyId"), false, m.GetInt64("groupId"), m.GetInt64("setId"), "")

 	// 返回原始URL
 	var url = m.GetString("url")
--- a/internal/waf/ip_list.go
+++ b/internal/waf/ip_list.go
@@ -81,7 +81,8 @@ func (this *IPList) RecordIP(ipType string,
 	policyId int64,
 	useLocalFirewall bool,
 	groupId int64,
-	setId int64) {
+	setId int64,
+	reason string) {
 	this.Add(ipType, scope, serverId, ip, expiresAt)

 	if this.listType == IPListTypeDeny {
@@ -97,6 +98,7 @@ func (this *IPList) RecordIP(ipType string,
 			sourceHTTPFirewallPolicyId:    policyId,
 			sourceHTTPFirewallRuleGroupId: groupId,
 			sourceHTTPFirewallRuleSetId:   setId,
+			reason:                        reason,
 		}:
 		default:

--- a/internal/waf/waf.go
+++ b/internal/waf/waf.go
@@ -15,14 +15,15 @@ import (
 )

 type WAF struct {
-	Id               int64                        `yaml:"id" json:"id"`
-	IsOn             bool                         `yaml:"isOn" json:"isOn"`
-	Name             string                       `yaml:"name" json:"name"`
-	Inbound          []*RuleGroup                 `yaml:"inbound" json:"inbound"`
-	Outbound         []*RuleGroup                 `yaml:"outbound" json:"outbound"`
-	CreatedVersion   string                       `yaml:"createdVersion" json:"createdVersion"`
-	Mode             firewallconfigs.FirewallMode `yaml:"mode" json:"mode"`
-	UseLocalFirewall bool                         `yaml:"useLocalFirewall" json:"useLocalFirewall"`
+	Id               int64                           `yaml:"id" json:"id"`
+	IsOn             bool                            `yaml:"isOn" json:"isOn"`
+	Name             string                          `yaml:"name" json:"name"`
+	Inbound          []*RuleGroup                    `yaml:"inbound" json:"inbound"`
+	Outbound         []*RuleGroup                    `yaml:"outbound" json:"outbound"`
+	CreatedVersion   string                          `yaml:"createdVersion" json:"createdVersion"`
+	Mode             firewallconfigs.FirewallMode    `yaml:"mode" json:"mode"`
+	UseLocalFirewall bool                            `yaml:"useLocalFirewall" json:"useLocalFirewall"`
+	SYNFlood         *firewallconfigs.SYNFloodConfig `yaml:"synFlood" json:"synFlood"`

 	DefaultBlockAction *BlockAction