anti
2a0c5ca410
Attackers routinely front their scanners with VPNs/proxies, so the
TCP source we log is the proxy egress, not the real host. But a
surprising number of attacker setups are misconfigured: the proxy
forwards the real IP in an X-Forwarded-For (or Forwarded / X-Real-IP
/ CDN-variant) header. From our side that's a free attribution leak.
New _detect_ip_leak extractor in decnet/web/ingester.py fires at
ingest time per HTTP request. Logic:
1. Require service=http, source_ip present, headers present.
2. If source_ip ∈ DECNET_TRUSTED_PROXIES (comma-separated IPs or
CIDRs) → legitimate reverse-proxy forwarding, skip.
3. Walk proxy-family headers in priority order: Forwarded (RFC 7239)
→ X-Forwarded-For → X-Real-IP → True-Client-IP → CF-Connecting-IP.
4. Extract the left-most parseable IP from the winning header.
5. If that IP differs from the TCP source → emit a bounty with
bounty_type="ip_leak" carrying {source_ip, real_ip_claim,
source_header, headers_seen, path, method}.
Storage is the existing Bounty table — no schema change; de-dup is
handled by Bounty's (attacker_ip, bounty_type, payload_hash) key, so
repeat requests with the same leaked IP don't spam.
AttackerDetail renders a warn-accent "LEAKED IPs:" row under ORIGIN
listing distinct real_ip_claim values; hover tooltip shows the source
header + path of the most recent leak. Only shown when at least one
ip_leak bounty exists.
RFC 7239 Forwarded parser handles the full vocabulary — bare IPv4,
IPv4:port, quoted, IPv6 in brackets, IPv6 with port — returning only
IPs that actually parse.
Closes DEVELOPMENT.md "Network Topology Leakage → X-Forwarded-For
mismatches". Phase 3 of the three-phase Attacker Intelligence series
(phases 1: scanned-vs-interacted, 2: PTR records already shipped).
DECNET_TRUSTED_PROXIES env shape matches THREAT_MODEL DA-08's
"revisit when verified-proxy config lands" note — same token set
future rate-limit work will consume.
42 lines
1.6 KiB
Python
42 lines
1.6 KiB
Python
from typing import Any
|
||
|
||
from fastapi import APIRouter, Depends, HTTPException
|
||
|
||
from decnet.correlation.event_kinds import bucket_services
|
||
from decnet.telemetry import traced as _traced
|
||
from decnet.web.dependencies import require_viewer, repo
|
||
|
||
router = APIRouter()
|
||
|
||
|
||
@router.get(
|
||
"/attackers/{uuid}",
|
||
tags=["Attacker Profiles"],
|
||
responses={
|
||
401: {"description": "Could not validate credentials"},
|
||
403: {"description": "Insufficient permissions"},
|
||
404: {"description": "Attacker not found"},
|
||
},
|
||
)
|
||
@_traced("api.get_attacker_detail")
|
||
async def get_attacker_detail(
|
||
uuid: str,
|
||
user: dict = Depends(require_viewer),
|
||
) -> dict[str, Any]:
|
||
"""Retrieve a single attacker profile by UUID (with behavior block)."""
|
||
attacker = await repo.get_attacker_by_uuid(uuid)
|
||
if not attacker:
|
||
raise HTTPException(status_code=404, detail="Attacker not found")
|
||
attacker["behavior"] = await repo.get_attacker_behavior(uuid)
|
||
# Scanned vs. interacted-with — computed per-request from the log
|
||
# stream, not persisted. Cheap (DISTINCT bounded by service ×
|
||
# event_type cardinality), and changes to the classifier take effect
|
||
# immediately without a profiler re-tick.
|
||
pairs = await repo.get_attacker_service_activity(uuid)
|
||
attacker["service_activity"] = bucket_services(pairs)
|
||
# Attribution leaks — XFF / Forwarded / X-Real-IP mismatches captured
|
||
# by the HTTP bounty extractor. Empty list when no HTTP interaction
|
||
# or no mismatch.
|
||
attacker["ip_leaks"] = await repo.get_attacker_ip_leaks(uuid)
|
||
return attacker
|