Unify legacy data path /etc/xdp-blocker → /etc/xdp-defense
All config/data paths now use /etc/xdp-defense/ consistently, eliminating the legacy xdp-blocker directory reference. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
kaffa
@@ -1,7 +1,7 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
XDP Defense - Common Utilities
|
||||
Merged from xdp-blocker/xdp_common.py and xdp-ddos/xdp_ddos_common.py
|
||||
Merged from xdp-defense common utilities
|
||||
Provides: map management, CIDR handling, IP encoding, rate config, block/unblock, stats
|
||||
"""
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@ from pathlib import Path
|
||||
|
||||
from xdp_common import get_map_id, batch_map_operation, classify_cidrs
|
||||
|
||||
COUNTRY_DIR = Path("/etc/xdp-blocker/countries")
|
||||
COUNTRY_DIR = Path("/etc/xdp-defense/countries")
|
||||
IPDENY_V4_URL = "https://www.ipdeny.com/ipblocks/data/countries/{}.zone"
|
||||
IPDENY_V6_URL = "https://www.ipdeny.com/ipblocks/data/ipv6/ipv6-country-blocks/{}.zone"
|
||||
|
||||
|
||||
@@ -854,6 +854,8 @@ class DDoSDaemon:
|
||||
def _ai_thread(self):
|
||||
"""Read traffic features, run AI inference or collect training data."""
|
||||
prev_features = None
|
||||
ai_prev_counters = {}
|
||||
ai_prev_counter_time = 0
|
||||
self._last_retrain_time = self._get_model_mtime()
|
||||
self._last_log_cleanup = time.time()
|
||||
|
||||
@@ -931,15 +933,41 @@ class DDoSDaemon:
|
||||
"AI ANOMALY detected: score=%.4f deltas=%s",
|
||||
score, dict(zip(feature_names, deltas[:len(feature_names)]))
|
||||
)
|
||||
top_ips = dump_rate_counters('rate_counter_v4', top_n=5)
|
||||
top_ips = dump_rate_counters('rate_counter_v4', top_n=10)
|
||||
now_ts = time.time()
|
||||
ai_elapsed = now_ts - ai_prev_counter_time if ai_prev_counter_time > 0 else interval
|
||||
ai_prev_counter_time = now_ts
|
||||
|
||||
for ip_str, pkts, bts, _ in top_ips:
|
||||
# Skip whitelisted IPs
|
||||
prev_pkts = ai_prev_counters.get(ip_str)
|
||||
ai_prev_counters[ip_str] = pkts
|
||||
|
||||
if is_whitelisted(ip_str):
|
||||
log.debug("AI escalation skipped (whitelisted): %s", ip_str)
|
||||
continue
|
||||
|
||||
stats = self.ewma_analyzer.get_stats(ip_str)
|
||||
baseline = max(stats['baseline'], 1)
|
||||
ewma = stats['ewma']
|
||||
|
||||
if stats['baseline'] > 0:
|
||||
if ewma <= baseline * 2.0:
|
||||
log.debug("AI skip (normal EWMA): %s ewma=%.1f baseline=%.1f", ip_str, ewma, baseline)
|
||||
continue
|
||||
else:
|
||||
pps_limit = self.cfg['rate_limit'].get('pps', 2000)
|
||||
if prev_pkts is not None:
|
||||
delta = pkts - prev_pkts if pkts >= prev_pkts else pkts
|
||||
est_pps = delta / max(ai_elapsed, 1)
|
||||
if est_pps <= pps_limit:
|
||||
log.debug("AI skip (new IP, low pps): %s est_pps=%.1f", ip_str, est_pps)
|
||||
continue
|
||||
else:
|
||||
log.debug("AI skip (new IP, first seen): %s", ip_str)
|
||||
continue
|
||||
|
||||
level = self.violation_tracker.record_violation(ip_str)
|
||||
log.warning("AI escalation: %s -> %s", ip_str, level)
|
||||
log.warning("AI escalation: %s ewma=%.1f baseline=%.1f -> %s", ip_str, ewma, baseline, level)
|
||||
|
||||
if level == 'temp_block':
|
||||
dur = self.cfg['escalation'].get('temp_block_duration', 300)
|
||||
|
||||
@@ -11,7 +11,7 @@ from pathlib import Path
|
||||
|
||||
from xdp_common import get_map_id, batch_map_operation, classify_cidrs
|
||||
|
||||
WHITELIST_DIR = Path("/etc/xdp-blocker/whitelist")
|
||||
WHITELIST_DIR = Path("/etc/xdp-defense/whitelist")
|
||||
|
||||
# Preset URLs for trusted services
|
||||
PRESETS = {
|
||||
|
||||
Reference in New Issue
Block a user