📄 pgpnetattack.c
字号:
attacker->portScan.numUDPScans-1));
record->port = 0;
attacker->portScan.numUDPScans--;
}
}
if ((record->tcp == tcp) && (record->port == port))
{
if (recorded)
{
record->port = 0;
if (record->tcp)
attacker->portScan.numTCPScans--;
else
attacker->portScan.numUDPScans--;
}
else
recorded = TRUE;
}
}
if (recorded && !count)
break;
}
if (attacker->portScan.numTCPScans > MAX_TCP_PORT_SCANS)
{
attacker->portScan.numTCPScans = 0;
attacker->portScan.tcpCounter = 0;
for (index=0; index<MAX_PORT_SCANS; index++)
{
record = &(attacker->portScan.scanRecord[index]);
if (record->tcp)
record->port = 0;
}
return TRUE;
}
if (attacker->portScan.numUDPScans > MAX_UDP_PORT_SCANS)
{
attacker->portScan.numUDPScans = 0;
attacker->portScan.udpCounter = 0;
for (index=0; index<MAX_PORT_SCANS; index++)
{
record = &(attacker->portScan.scanRecord[index]);
if (!(record->tcp))
record->port = 0;
}
return TRUE;
}
return FALSE;
}
PGPBoolean pgpSpoofAttack(PGPnetAttackContextRef attack, PGPUInt32 timeNow,
PGPByte *mac, PGPUInt32 ipAddress)
{
PGPnetAttacker * attacker;
PGPBoolean returnValue;
PGPError err;
attacker = sFindTrackedAttacker(attack, ipAddress, timeNow);
if (IsNull(attacker))
{
err = sAddTrackedAttacker(attack, ipAddress, timeNow, &attacker);
if (IsPGPError(err))
return FALSE;
returnValue = FALSE;
}
else
returnValue = !pgpMemoryEqual(mac, attacker->spoof.mac,
MAC_ADDRESS_SIZE);
pgpCopyMemory(mac, attacker->spoof.mac, MAC_ADDRESS_SIZE);
return returnValue;
}
PGPBoolean pgpSynFloodAttack(PGPnetAttackContextRef attack, PGPUInt32 timeNow,
PGPUInt32 ipAddress, PGPBoolean syn, PGPBoolean ack,
PGPUInt16 srcPort, PGPUInt16 destPort)
{
PGPUInt32 index;
PGPSynFloodRecord * record;
PGPSynFloodRecord * newRecord;
PGPUInt32 count;
PGPBoolean recorded;
PGPnetAttacker * attacker;
PGPByte * ipAddressByte;
PGPError err;
ipAddressByte = (PGPByte *) &ipAddress;
attacker = sFindTrackedAttacker(attack, ipAddress, timeNow);
if (IsNull(attacker))
{
err = sAddTrackedAttacker(attack, ipAddress, timeNow, &attacker);
if (IsPGPError(err))
return FALSE;
}
count = attacker->synFlood.numSyns;
recorded = FALSE;
newRecord = NULL;
for (index=0; index<MAX_SYN_TRACK; index++)
{
record = &(attacker->synFlood.synRecord[index]);
if (!record->destPort)
{
if (!recorded && syn && !ack)
{
recorded = TRUE;
newRecord = record;
record->srcPort = srcPort;
record->destPort = destPort;
record->numHits = 1;
record->attacked = FALSE;
record->firstHit = timeNow;
attacker->synFlood.numSyns++;
pgpDebugFmtMsg((pgpaFmtPrefix,
"Possible syn flood attack from %d.%d.%d.%d on "
"port %d",
ipAddressByte[0], ipAddressByte[1], ipAddressByte[2],
ipAddressByte[3], destPort));
}
}
else
{
count--;
if ((timeNow - record->firstHit) > SYN_LIFETIME)
{
if (attacker->synFlood.numSyns > 0)
attacker->synFlood.numSyns--;
pgpDebugFmtMsg((pgpaFmtPrefix,
"SYN from %d.%d.%d.%d on port %d has expired. "
"%d SYNs remaining",
ipAddressByte[0], ipAddressByte[1], ipAddressByte[2],
ipAddressByte[3], record->destPort,
attacker->synFlood.numSyns));
record->destPort = 0;
}
else if (((timeNow - record->hangStart) > SYN_HANGTIME) &&
record->attacked)
{
attacker->synFlood.numSyns = 0;
for (index=0; index<MAX_SYN_TRACK; index++)
attacker->synFlood.synRecord[index].destPort = 0;
return TRUE;
}
if (record->destPort == destPort)
{
if ((recorded && syn && !ack) || (!recorded && ack))
{
if (attacker->synFlood.numSyns > 0)
attacker->synFlood.numSyns--;
record->destPort = 0;
if (ack)
{
pgpDebugFmtMsg((pgpaFmtPrefix,
"ACK closed SYN from %d.%d.%d.%d on port %d. "
"%d SYNs remaining",
ipAddressByte[0], ipAddressByte[1],
ipAddressByte[2], ipAddressByte[3], destPort,
attacker->synFlood.numSyns));
}
else
{
newRecord->firstHit = record->firstHit;
record = newRecord;
}
}
if (syn && !ack)
{
record->numHits++;
if (record->numHits > MAX_SYN_HITS)
{
if ((timeNow - record->firstHit) < MIN_HIT_TIME)
{
attacker->synFlood.numSyns = 0;
for (index=0; index<MAX_SYN_TRACK; index++)
attacker->synFlood.synRecord[index].destPort = 0;
return TRUE;
}
record->attacked = TRUE;
}
else
record->hangStart = timeNow;
pgpDebugFmtMsg((pgpaFmtPrefix,
"Possible syn flood attack from %d.%d.%d.%d on "
"port %d, %d hits",
ipAddressByte[0], ipAddressByte[1], ipAddressByte[2],
ipAddressByte[3], destPort, record->numHits));
}
recorded = TRUE;
}
}
if (recorded && !count)
break;
}
return FALSE;
}
PGPBoolean pgpPingFloodAttack(PGPnetAttackContextRef attack, PGPUInt32 timeNow,
PGPUInt32 ipAddress, PGPUInt32 packetSize)
{
PGPUInt32 index;
PGPPingFloodRecord *record;
PGPUInt32 count;
PGPBoolean recorded;
PGPnetAttacker * attacker;
PGPByte * ipAddressByte;
PGPError err;
ipAddressByte = (PGPByte *) &ipAddress;
attacker = sFindTrackedAttacker(attack, ipAddress, timeNow);
if (IsNull(attacker))
{
err = sAddTrackedAttacker(attack, ipAddress, timeNow, &attacker);
if (IsPGPError(err))
return FALSE;
}
count = attacker->pingFlood.numPings;
recorded = FALSE;
for (index=0; index<MAX_PINGS; index++)
{
record = &(attacker->pingFlood.pingRecord[index]);
if (!record->bytes)
{
if (!recorded)
{
recorded = TRUE;
record->time = timeNow;
record->bytes = packetSize;
attacker->pingFlood.numPings++;
pgpDebugFmtMsg((pgpaFmtPrefix,
"Possible ping flood attack from %d.%d.%d.%d. "
"%d pings",
ipAddressByte[0], ipAddressByte[1], ipAddressByte[2],
ipAddressByte[3], attacker->pingFlood.numPings));
}
}
else
{
count--;
if ((timeNow - record->time) > PING_LIFETIME)
{
attacker->pingFlood.numPings--;
record->bytes = 0;
}
}
if (recorded && !count)
break;
}
if (attacker->pingFlood.numPings >= MAX_PINGS)
{
attacker->pingFlood.numPings = 0;
for (index=0; index<MAX_PINGS; index++)
attacker->pingFlood.pingRecord[index].bytes = 0;
return TRUE;
}
return FALSE;
}
PGPBoolean pgpJolt2Attack(PGPnetAttackContextRef attack, PGPUInt32 timeNow,
PGPUInt32 ipAddress, PGPUInt16 packetID)
{
PGPUInt32 index;
PGPUInt32 oldestTime;
PGPJolt2Record * record;
PGPJolt2Record * emptyRecord;
PGPBoolean recorded;
PGPBoolean gotEmptyRecord;
PGPnetAttacker * attacker;
PGPByte * ipAddressByte;
PGPError err;
ipAddressByte = (PGPByte *) &ipAddress;
attacker = sFindTrackedAttacker(attack, ipAddress, timeNow);
if (IsNull(attacker))
{
err = sAddTrackedAttacker(attack, ipAddress, timeNow, &attacker);
if (IsPGPError(err))
return FALSE;
}
recorded = FALSE;
gotEmptyRecord = FALSE;
emptyRecord = NULL;
oldestTime = MAX_PGPUInt32;
for (index=0; index<MAX_JOLT2; index++)
{
record = &(attacker->jolt2.jolt2Record[index]);
if (record->packetID == packetID)
{
recorded = TRUE;
record->time = timeNow;
record->numLastFragments++;
if (record->numLastFragments > MAX_JOLT2)
{
record->numLastFragments = MAX_JOLT2;
return TRUE;
}
break;
}
else if (!record->numLastFragments)
{
if (!recorded && !gotEmptyRecord)
{
emptyRecord = record;
gotEmptyRecord = TRUE;
}
}
else
{
if ((timeNow - record->time) > JOLT2_LIFETIME)
{
attacker->jolt2.numIDs--;
record->numLastFragments = 0;
if (!gotEmptyRecord && !recorded)
{
emptyRecord = record;
gotEmptyRecord = TRUE;
}
}
if (!recorded && !gotEmptyRecord && (record->time < oldestTime))
{
oldestTime = record->time;
emptyRecord = record;
}
}
}
if (emptyRecord && !recorded)
{
emptyRecord->time = timeNow;
emptyRecord->packetID = packetID;
emptyRecord->numLastFragments = 1;
attacker->jolt2.numIDs++;
}
return FALSE;
}
PGPBoolean pgpSmurfAttack(PGPnetAttackContextRef attack, PGPUInt32 timeNow,
PGPUInt32 ipAddress)
{
PGPnetAttacker * attacker;
PGPByte * ipAddressByte;
PGPError err;
ipAddressByte = (PGPByte *) &ipAddress;
attacker = sFindTrackedAttacker(attack, ipAddress, timeNow);
if (IsNull(attacker))
{
err = sAddTrackedAttacker(attack, ipAddress, timeNow, &attacker);
if (IsPGPError(err))
return FALSE;
}
if (attacker->smurf.numSmurfs++ >= MAX_SMURFS)
{
attacker->smurf.numSmurfs = 0;
attacker->smurf.time = 0;
return TRUE;
}
pgpDebugFmtMsg((pgpaFmtPrefix,
"Possible smurf attack from %d.%d.%d.%d. %d attacks",
ipAddressByte[0], ipAddressByte[1], ipAddressByte[2], ipAddressByte[3],
attacker->smurf.numSmurfs));
if (!attacker->smurf.time)
attacker->smurf.time = timeNow;
else if (timeNow - attacker->smurf.time > SMURF_LIFETIME)
{
attacker->smurf.numSmurfs = 0;
attacker->smurf.time = 0;
}
return FALSE;
}
PGPBoolean pgpFraggleAttack(PGPnetAttackContextRef attack, PGPUInt32 timeNow,
PGPUInt32 ipAddress)
{
PGPnetAttacker * attacker;
PGPByte * ipAddressByte;
PGPError err;
ipAddressByte = (PGPByte *) &ipAddress;
attacker = sFindTrackedAttacker(attack, ipAddress, timeNow);
if (IsNull(attacker))
{
err = sAddTrackedAttacker(attack, ipAddress, timeNow, &attacker);
if (IsPGPError(err))
return FALSE;
}
if (attacker->fraggle.numFraggles++ >= MAX_FRAGGLES)
{
attacker->fraggle.numFraggles = 0;
attacker->fraggle.time = 0;
return TRUE;
}
pgpDebugFmtMsg((pgpaFmtPrefix,
"Possible fraggle attack from %d.%d.%d.%d. %d attacks",
ipAddressByte[0], ipAddressByte[1], ipAddressByte[2], ipAddressByte[3],
attacker->fraggle.numFraggles));
if (!attacker->fraggle.time)
attacker->fraggle.time = timeNow;
else if (timeNow - attacker->fraggle.time > FRAGGLE_LIFETIME)
{
attacker->fraggle.numFraggles = 0;
attacker->fraggle.time = 0;
}
return FALSE;
}
/*__Editor_settings____
Local Variables:
tab-width: 4
End:
vi: ts=4 sw=4
vim: si
_____________________*/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -