# Ban after several alerts

This case is an example of how to block clients triggering a defined number of security alerts in a given amount of time.

# Configuration

Using this yaml sample file, if an user triggered more than 30 security alerts in a duration of 30s, he will be ban for 1 hour based on his IP address.

# Configuration example

---
apiVersion: core/v1beta
kind: App
metadata:
  name: myweb
spec:
  name: myweb.com
  log_level: debug
  workflow: main
  workflow_params:
    icxPolicy: default
    exceptionsPolicy: default
  backend: mybackend.com
---
apiVersion: core/v1beta
kind: Workflow
metadata:
  name: main
spec:
  entrypoint: main
  source: |-
    package main

    func main(icxPolicy ICXConfiguration, exceptionsPolicy SecurityExceptionConfiguration){
      SubWorkflow_BlockBannedClients(Args{
      	"client":"${http.request.ip-src}",
      	"blockBannedClients":true,
      	"banDatastore":"defaultdatastore",
      })
      ActionICXSecurityEngine(Args{"configuration":params.icxPolicy})
      ActionSecurityExceptionManagement(Args{"configuration":params.exceptionsPolicy})
      if security.exception.blocked == true{
        SubWorkflow_BanAfterEngines(Args{
        	"client":"${http.request.ip-src}",
        	"timescale":"30",
        	"nbOfEvents":"30",
        	"banDuration":"3600",
        	"banDatastore":"defaultdatastore",
        })
        ActionLogAlert()
        ActionGenerateResponse(Args{
        	"status": "403",
        	"content-default": "true",
        })
      }
    }

    func BlockBannedClients(client string, blockBannedClients bool, banDatastore Datastore) (clientBan string){
      clientBan = "false"
      ActionDataStoreGet(Args{
        "uid":params.banDatastore,
        "key":params.client,
        "name":"banExpirationTime",
        "default":"Unknown",
      })
      if banExpirationTime != "Unknown"{
        isStillBanned := `${compare(int(time()),"<",int(${banExpirationTime}))}`
        if isStillBanned == "true"{
          clientBan = "true"
          ActionLogAlert(Args{"engineUid":"Custom", "customMessage":"The client identified by ${params.client} is banned."})
          if params.blockBannedClients == true{
            ActionGenerateResponse(Args{"status":"403", "content-default":"true"})
          }
        } else {
          ActionDataStoreUnset(Args{
            "uid":params.banDatastore,
            "key":params.client,
          })
        }
      }
    }

    func BanAfterEngines(client string, timescale string, nbOfEvents string, banDuration string, banDatastore Datastore) (clientBan string){
      clientBan = "false"
      ActionRequestLimiter(Args{
      	"dstore_uid":params.banDatastore,
      	"time":params.timescale,
      	"counter":params.nbOfEvents,
      	"use_key_list":"true",
      	"key_limitation_list":"all",
      })
      requestLimiterResult = "${http.request-limiter.blocked}"
      if requestLimiterResult == "true"{
          banExpirationTime := "${calc(int(time()),'+',calc(${params.banDuration},'*','1000000'))}"
          clientBan = "true"
          ActionDataStoreSet(Args{
          	"uid":params.banDatastore,
          	"key":params.client,
          	"value":"${banExpirationTime}",
          	})
          ActionLogAlert(Args{"engineUid":"Custom", "customMessage":"The client identified by ${params.client} has been banned."})
      }
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

This configuration example uses two functions BanAfterEngines and BlockBannedClients to call in the main Workflow to ban clients after multiple alerts from security engine and to check if a client is banned at the beginning of the Workflow.

# Functions used

# BanAfterEngines

func BanAfterEngines(client string, timescale string, nbOfEvents string, banDuration string, banDatastore Datastore) (clientBan string)
1

This function is used after the security engines in the main Workflow and uses the result of these security engines to check of the user triggered an alert. Combined with the Request Limiter to verify if the number of potentially dangerous requests in a given amount of time is superior to the threshold used in parameters. If so, it adds this user's IP to a DataStore to keep track of its ban.

# BlockBannedClients

func BlockBannedClients(client string, blockBannedClients bool, banDatastore Datastore) (clientBan string)
1

This function is used at the beginning of the main Workflow to block banned clients. It simply uses the DataStore where information about banned clients are located. Based on the source IP address of the client, it retrieves the time when the user should be unbanned and compares it to the current time. If the user should be unbanned, we removes information about him from the DataStore and allow him to continue on the application.

# Settings

# Main Workflow parameters

In this use case, there are two settings in the workflow_params field:

  • The parameter icxPolicy represents the ICXConfiguration that is used in the ICX engine.
  • The parameter exceptionsPolicy represents the SecurityExceptionConfiguration that is used by the Security Exception Management.

# BanAfterEngines parameters

In this function several parameters can be used:

  • The parameter client is used to identify the client. By default, we use the attribute ${http.request.ip-src}.
  • The parameter timescale represents the time during which the number of alerts raised will be counted.
  • The parameter nbOfEvents represents the number of alert to raise in the time given by timescale to triger the ban.
  • The parameter banDuration is simply the duration of the ban, in seconds.
  • The parameter banDatastore is the DataStore used to store information on banned clients. By default we use the defaultdatastore.

# BlockBannedClients parameters

In this function several parameters can be used:

  • The parameter client is used to identify the client. By default, we use the attribute ${http.request.ip-src}. It should be same as the one used in the function BanAfterEngines.
  • The parameter blockBannedClients is a boolean representing if we should block the client
  • The parameter banDatastore is the DataStore used to store information on banned clients. By default we use the defaultdatastore. It should be same as the one used in the function BanAfterEngines.
Last Updated: 12/23/2021, 4:39:01 PM