Google Git
Sign in
android / platform / external / zxing / 5c705313b / . / zxingorg / src / com / google / zxing / web / DoSFilter.java
blob: ec287aefafcbd8968b350aef959acb1331ccb72a [file] [log] [blame]
/*
* Copyright 2008 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.google.zxing.web;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
/**
* A {@link Filter} that rejects requests from hosts that are sending too many
* requests in too short a time.
*
* @author Sean Owen (srowen@google.com)
*/
public final class DoSFilter implements Filter {
private static final int MAX_ACCESSES_PER_IP_PER_TIME = 10;
private static final long MAX_ACCESS_INTERVAL_MSEC = 10L * 1000L;
private static final long UNBAN_INTERVAL_MSEC = 60L * 60L * 1000L;
private final IPTrie numRecentAccesses;
private final Timer timer;
private final Set<String> bannedIPAddresses;
private final Collection<String> manuallyBannedIPAddresses;
private ServletContext context;
public DoSFilter() {
numRecentAccesses = new IPTrie();
timer = new Timer("DosFilter reset timer");
bannedIPAddresses = Collections.synchronizedSet(new HashSet<String>());
manuallyBannedIPAddresses = new HashSet<String>();
}
public void init(FilterConfig filterConfig) {
context = filterConfig.getServletContext();
String bannedIPs = filterConfig.getInitParameter("bannedIPs");
if (bannedIPs != null) {
for (String ip : bannedIPs.split(",")) {
manuallyBannedIPAddresses.add(ip.trim());
}
}
timer.scheduleAtFixedRate(new ResetTask(), 0L, MAX_ACCESS_INTERVAL_MSEC);
timer.scheduleAtFixedRate(new UnbanTask(), 0L, UNBAN_INTERVAL_MSEC);
}
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if (isBanned(request)) {
HttpServletResponse servletResponse = (HttpServletResponse) response;
servletResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
} else {
chain.doFilter(request, response);
}
}
private boolean isBanned(ServletRequest request) {
String remoteIPAddressString = request.getRemoteAddr();
if (bannedIPAddresses.contains(remoteIPAddressString) ||
manuallyBannedIPAddresses.contains(remoteIPAddressString)) {
return true;
}
InetAddress remoteIPAddress;
try {
remoteIPAddress = InetAddress.getByName(remoteIPAddressString);
} catch (UnknownHostException uhe) {
context.log("Can't determine host from: " + remoteIPAddressString + "; assuming banned");
return true;
}
if (numRecentAccesses.incrementAndGet(remoteIPAddress) > MAX_ACCESSES_PER_IP_PER_TIME) {
context.log("Possible DoS attack from " + remoteIPAddressString);
bannedIPAddresses.add(remoteIPAddressString);
return true;
}
return false;
}
public void destroy() {
timer.cancel();
numRecentAccesses.clear();
bannedIPAddresses.clear();
}
private final class ResetTask extends TimerTask {
@Override
public void run() {
numRecentAccesses.clear();
}
}
private final class UnbanTask extends TimerTask {
@Override
public void run() {
bannedIPAddresses.clear();
}
}
}