Queue ip addresses for block whenever they exceed the rate limit too much

2025-07-01 08:02:49 -05:00 · 2016-11-30 21:51:43 -05:00
parent 2d045859e7
commit b87c9c1a5a
7 changed files with 93 additions and 10 deletions
--- a/src/Api/Middleware/CustomIpRateLimitMiddleware.cs
+++ b/src/Api/Middleware/CustomIpRateLimitMiddleware.cs
@ -1,6 +1,8 @@
 using AspNetCoreRateLimit;
 using Bit.Api.Models.Response;
+using Bit.Core.Services;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Newtonsoft.Json;
@ -11,17 +13,25 @@ namespace Bit.Api.Middleware
    public class CustomIpRateLimitMiddleware : IpRateLimitMiddleware
    {
        private readonly IpRateLimitOptions _options;
+        private readonly IMemoryCache _memoryCache;
+        private readonly IBlockIpService _blockIpService;
+        private readonly ILogger<IpRateLimitMiddleware> _logger;

        public CustomIpRateLimitMiddleware(
+            IMemoryCache memoryCache,
+            IBlockIpService blockIpService,
            RequestDelegate next,
            IOptions<IpRateLimitOptions> options,
            IRateLimitCounterStore counterStore,
            IIpPolicyStore policyStore,
            ILogger<IpRateLimitMiddleware> logger,
-            IIpAddressParser ipParser = null
-            ) : base(next, options, counterStore, policyStore, logger, ipParser)
+            IIpAddressParser ipParser = null)
+            : base(next, options, counterStore, policyStore, logger, ipParser)
        {
+            _memoryCache = memoryCache;
+            _blockIpService = blockIpService;
            _options = options.Value;
+            _logger = logger;
        }

        public override Task ReturnQuotaExceededResponse(HttpContext httpContext, RateLimitRule rule, string retryAfter)
@ -35,5 +45,27 @@ namespace Bit.Api.Middleware
            var errorModel = new ErrorResponseModel { Message = message };
            return httpContext.Response.WriteAsync(JsonConvert.SerializeObject(errorModel));
        }
+
+        public override void LogBlockedRequest(HttpContext httpContext, ClientRequestIdentity identity,
+            RateLimitCounter counter, RateLimitRule rule)
+        {
+            base.LogBlockedRequest(httpContext, identity, counter, rule);
+            var key = $"blockedIp_{identity.ClientIp}";
+
+            int blockedCount;
+            _memoryCache.TryGetValue(key, out blockedCount);
+
+            blockedCount++;
+            if(blockedCount > 10)
+            {
+                _blockIpService.BlockIpAsync(identity.ClientIp, false);
+                _logger.LogDebug("Blocked " + identity.ClientIp);
+            }
+            else
+            {
+                _memoryCache.Set(key, blockedCount,
+                    new MemoryCacheEntryOptions().SetSlidingExpiration(new System.TimeSpan(0, 5, 0)));
+            }
+        }
    }
 }
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -138,6 +138,7 @@ namespace Bit.Api
            services.AddScoped<IUserService, UserService>();
            services.AddScoped<IPushService, PushService>();
            services.AddScoped<IDeviceService, DeviceService>();
+            services.AddScoped<IBlockIpService, AzureBlockIpService>();

            // Cors
            services.AddCors(config =>
--- a/src/Api/settings.json
+++ b/src/Api/settings.json
@ -23,6 +23,9 @@
      "gcmSenderId": "SECRET",
      "gcmApiKey": "SECRET",
      "gcmAppPackageName": "com.x8bit.bitwarden"
+    },
+    "storage": {
+      "connectionString": "SECRET"
    }
  },
  "IpRateLimitOptions": {