anti
c78ab032bd
`for i in $(seq 1 100); do curl -H "X-Forwarded-For: 191.100.20.$i" ...`
was dumping 100 distinct IPs into AttackerDetail's LEAKED IPs row,
drowning the rest of the ORIGIN section. The 100-IP wall is itself a
signal (WAF-bypass-list probing) that deserves a short badge, not a
flood.
Backend:
- get_attacker_ip_leaks gains `limit: int = 10` parameter — caller
only ever needs a sample, not the full set.
- New count_attacker_ip_leaks() returns the unbounded COUNT(*) via
one cheap SQL aggregate.
- Detail endpoint returns {ip_leaks: [first 10], ip_leaks_total: N}
so the UI can render a rotation badge independent of list length.
UI:
- New LeakedIPsRow component. First 5 distinct IPs rendered inline
with hover tooltips (unchanged). When > 5, a `+ N more` expand
button reveals the rest of the sample; when total exceeds the
10-row cap, a subtle `(+M beyond sample)` note appears.
- When total ≥ 20, a red `ROTATION · N` tag renders leading the
row with a tooltip explaining the semantic: "almost certainly
XFF-rotation / WAF-bypass probing, not a real attribution leak."
DB churn is deliberately not capped — 100k rows × ~500 B is tolerable.
If it becomes a problem we can add an ingester-side count-and-skip;
for now the UX fix is the whole story.
Added test_ip_leaks_total_reported_separately_from_list asserting
the endpoint shape matches what the UI consumes.
45 lines
1.8 KiB
Python
45 lines
1.8 KiB
Python
from typing import Any
|
||
|
||
from fastapi import APIRouter, Depends, HTTPException
|
||
|
||
from decnet.correlation.event_kinds import bucket_services
|
||
from decnet.telemetry import traced as _traced
|
||
from decnet.web.dependencies import require_viewer, repo
|
||
|
||
router = APIRouter()
|
||
|
||
|
||
@router.get(
|
||
"/attackers/{uuid}",
|
||
tags=["Attacker Profiles"],
|
||
responses={
|
||
401: {"description": "Could not validate credentials"},
|
||
403: {"description": "Insufficient permissions"},
|
||
404: {"description": "Attacker not found"},
|
||
},
|
||
)
|
||
@_traced("api.get_attacker_detail")
|
||
async def get_attacker_detail(
|
||
uuid: str,
|
||
user: dict = Depends(require_viewer),
|
||
) -> dict[str, Any]:
|
||
"""Retrieve a single attacker profile by UUID (with behavior block)."""
|
||
attacker = await repo.get_attacker_by_uuid(uuid)
|
||
if not attacker:
|
||
raise HTTPException(status_code=404, detail="Attacker not found")
|
||
attacker["behavior"] = await repo.get_attacker_behavior(uuid)
|
||
# Scanned vs. interacted-with — computed per-request from the log
|
||
# stream, not persisted. Cheap (DISTINCT bounded by service ×
|
||
# event_type cardinality), and changes to the classifier take effect
|
||
# immediately without a profiler re-tick.
|
||
pairs = await repo.get_attacker_service_activity(uuid)
|
||
attacker["service_activity"] = bucket_services(pairs)
|
||
# Attribution leaks — XFF / Forwarded / X-Real-IP mismatches captured
|
||
# by the HTTP bounty extractor. Cap the returned list at 10 so a
|
||
# rotation attack (100s of forged XFF values) doesn't flood the UI;
|
||
# `ip_leaks_total` carries the unbounded count so the UI can render
|
||
# a ROTATION DETECTED badge when the count crosses a threshold.
|
||
attacker["ip_leaks"] = await repo.get_attacker_ip_leaks(uuid, limit=10)
|
||
attacker["ip_leaks_total"] = await repo.count_attacker_ip_leaks(uuid)
|
||
return attacker
|