feat(attackers): XFF mismatch detection — attacker IP leak bounties
Attackers routinely front their scanners with VPNs/proxies, so the
TCP source we log is the proxy egress, not the real host. But a
surprising number of attacker setups are misconfigured: the proxy
forwards the real IP in an X-Forwarded-For (or Forwarded / X-Real-IP
/ CDN-variant) header. From our side that's a free attribution leak.
New _detect_ip_leak extractor in decnet/web/ingester.py fires at
ingest time per HTTP request. Logic:
1. Require service=http, source_ip present, headers present.
2. If source_ip ∈ DECNET_TRUSTED_PROXIES (comma-separated IPs or
CIDRs) → legitimate reverse-proxy forwarding, skip.
3. Walk proxy-family headers in priority order: Forwarded (RFC 7239)
→ X-Forwarded-For → X-Real-IP → True-Client-IP → CF-Connecting-IP.
4. Extract the left-most parseable IP from the winning header.
5. If that IP differs from the TCP source → emit a bounty with
bounty_type="ip_leak" carrying {source_ip, real_ip_claim,
source_header, headers_seen, path, method}.
Storage is the existing Bounty table — no schema change; de-dup is
handled by Bounty's (attacker_ip, bounty_type, payload_hash) key, so
repeat requests with the same leaked IP don't spam.
AttackerDetail renders a warn-accent "LEAKED IPs:" row under ORIGIN
listing distinct real_ip_claim values; hover tooltip shows the source
header + path of the most recent leak. Only shown when at least one
ip_leak bounty exists.
RFC 7239 Forwarded parser handles the full vocabulary — bare IPv4,
IPv4:port, quoted, IPv6 in brackets, IPv6 with port — returning only
IPs that actually parse.
Closes DEVELOPMENT.md "Network Topology Leakage → X-Forwarded-For
mismatches". Phase 3 of the three-phase Attacker Intelligence series
(phases 1: scanned-vs-interacted, 2: PTR records already shipped).
DECNET_TRUSTED_PROXIES env shape matches THREAT_MODEL DA-08's
"revisit when verified-proxy config lands" note — same token set
future rate-limit work will consume.
This commit is contained in:
@@ -68,6 +68,20 @@ interface AttackerData {
|
||||
interacted: string[];
|
||||
scanned: string[];
|
||||
};
|
||||
ip_leaks?: Array<{
|
||||
timestamp: string;
|
||||
decky?: string;
|
||||
service?: string;
|
||||
bounty_type: string;
|
||||
payload: {
|
||||
source_ip?: string;
|
||||
real_ip_claim?: string;
|
||||
source_header?: string;
|
||||
headers_seen?: Record<string, string>;
|
||||
path?: string;
|
||||
method?: string;
|
||||
};
|
||||
}>;
|
||||
}
|
||||
|
||||
// ─── Fingerprint rendering ───────────────────────────────────────────────────
|
||||
@@ -1027,6 +1041,42 @@ const AttackerDetail: React.FC = () => {
|
||||
<span className="dim">—</span>
|
||||
)}
|
||||
</div>
|
||||
{attacker.ip_leaks && attacker.ip_leaks.length > 0 && (
|
||||
<div>
|
||||
<span className="dim" style={{ color: 'var(--warn, #e0a040)' }}>
|
||||
LEAKED IPs:{' '}
|
||||
</span>
|
||||
{Array.from(
|
||||
new Set(
|
||||
(attacker.ip_leaks || [])
|
||||
.map((l) => l.payload?.real_ip_claim)
|
||||
.filter((v): v is string => !!v),
|
||||
),
|
||||
).map((ip, i, arr) => {
|
||||
const latest = (attacker.ip_leaks || []).find(
|
||||
(l) => l.payload?.real_ip_claim === ip,
|
||||
);
|
||||
const tooltip = latest
|
||||
? `${latest.payload.source_header ?? '?'} on ${
|
||||
latest.payload.method ?? '?'
|
||||
} ${latest.payload.path ?? '/'}`
|
||||
: '';
|
||||
return (
|
||||
<span
|
||||
key={ip}
|
||||
style={{
|
||||
color: 'var(--warn, #e0a040)',
|
||||
fontFamily: 'monospace',
|
||||
}}
|
||||
title={tooltip}
|
||||
>
|
||||
{ip}
|
||||
{i < arr.length - 1 ? ', ' : ''}
|
||||
</span>
|
||||
);
|
||||
})}
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
</Section>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user