crowdsec icon indicating copy to clipboard operation
crowdsec copied to clipboard
verified publisher icon crowdsecurity

Improvement/crowdsec: Banning multiple IPs after overflowing a bucket

Open janbaer opened this issue 3 years ago • 2 comments

Is your feature request related to a problem? Please describe. We want to use Crowdsec to also detect crawlers that are using more than one single IP address to get information from our website. Since such crawlers become more and more intelligent, they are often using multiple machines from the same provider and sending requests from multiple IPs. So our idea is to define a bucket but not group them by the IP address but instead by the ASN of the provider. So after the first overflow of the bucket, all IPs from the same provider should get a decision with a captcha.

As I learned from the code this is currently not possible, because the bucket will be destroyed after the first overflow and the first decision.

Describe the solution you'd like An idea of how it could be fixed to make it configurable how the bucket should behave after the first overflow.

Example of what you imagine My expectation is, that all IPs which would match the filter and are from the same ASN (or country) would get a decision after the first overflow. So in our case, they should get a CAPTCHA. When the CAPTCHA is passed, we would delete the decision by using the API.

Additional context I created a PR with my idea of what has to be changed in the code to make it possible, but not break any existing behavior: https://github.com/crowdsecurity/crowdsec/pull/1551

janbaer avatar Jun 09 '22 15:06 janbaer

I just wanted to ask if there's any chance to get feedback from any of the project members about this issue. As I wrote in my initial ticket, I also create a PR with a proposal how to implement the change. After testing my PR it turned out, that unfortunately Crowdsec is not behaving like it should, even the bucket won't be destroyed anymore, as expected. It would be great to get any feedback. Thanks!

janbaer avatar Sep 20 '22 18:09 janbaer

Sorry, i didn't had time to take a more serious look at it yet. I didn't give up, but it requires more time than i initially thought. However as the feature seems relevant, we didn't plan to give up neither!

Thanks for your patience

Le mar. 20 sept. 2022, 20:10, Jan Baer @.***> a écrit :

I just wanted to ask if there's any chance to get feedback from any of the project members about this issue. As I wrote in my initial ticket, I also create a PR with a proposal how to implement the change. After testing my PR it turned out, that unfortunately Crowdsec is not behaving like it should, even the bucket won't be destroyed anymore, as expected. It would be great to get any feedback. Thanks!

— Reply to this email directly, view it on GitHub https://github.com/crowdsecurity/crowdsec/issues/1580#issuecomment-1252726247, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHR36QCWPWITGJBXGJH4D3V7H4YHANCNFSM5YKQB6SQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

buixor avatar Sep 20 '22 18:09 buixor