Added a minimal rogue client detection mechanism at the transport level (#2850)

mrsuciu · web-flow · commit 3543d0292556 · 2024-11-22T10:01:30.000+01:00
Clients that are failing too often to pass the security validationin a certain interval of time with the Basic128 security profile are now tracked and blocked.
diff --git a/Stack/Opc.Ua.Core/Stack/Tcp/TcpListenerChannel.cs b/Stack/Opc.Ua.Core/Stack/Tcp/TcpListenerChannel.cs
@@ -11,6 +11,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */
 
 using System;
+using System.Net;
 using System.Net.Sockets;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.Extensions.Logging;
@@ -267,6 +268,18 @@ protected void ForceChannelFault(ServiceResult reason)
 
                 if (close)
                 {
+                    // mark the RemoteAddress as potential problematic if Basic128Rsa15
+                    if ((SecurityPolicyUri == SecurityPolicies.Basic128Rsa15) &&
+                        (reason.StatusCode == StatusCodes.BadSecurityChecksFailed || reason.StatusCode == StatusCodes.BadTcpMessageTypeInvalid))
+                    {
+                        var tcpTransportListener = m_listener as TcpTransportListener;
+                        if (tcpTransportListener != null)
+                        {
+                            tcpTransportListener.MarkAsPotentialProblematic
+                                (((IPEndPoint)Socket.RemoteEndpoint).Address);
+                        }
+                    }
+
                     // close channel immediately.
                     ChannelFaulted();
                 }
diff --git a/Stack/Opc.Ua.Core/Stack/Tcp/TcpTransportListener.cs b/Stack/Opc.Ua.Core/Stack/Tcp/TcpTransportListener.cs
@@ -13,6 +13,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.Linq;
 using System.Net;
 using System.Net.Sockets;
@@ -37,6 +38,233 @@ public override ITransportListener Create()
         }
     }
 
+    /// <summary>
+    /// Represents a potential problematic ActiveClient
+    /// </summary>
+    public class ActiveClient
+    {
+        #region Properties
+        /// <summary>
+        /// Time of the last recorded problematic action
+        /// </summary>
+        public int LastActionTicks
+        {
+            get
+            {
+                return m_lastActionTicks;
+            }
+            set
+            {
+                m_lastActionTicks = value;
+            }
+        }
+
+        /// <summary>
+        /// Counter for number of recorded potential problematic actions
+        /// </summary>
+        public int ActiveActionCount
+        {
+            get
+            {
+                return m_actionCount;
+            }
+            set
+            {
+                m_actionCount = value;
+            }
+        }
+
+        /// <summary>
+        /// Ticks until the client is Blocked
+        /// </summary>
+        public int BlockedUntilTicks
+        {
+            get
+            {
+                return m_blockedUntilTicks;
+            }
+            set
+            {
+                m_blockedUntilTicks = value;
+            }
+        }
+        #endregion
+
+        #region Private members
+        int m_lastActionTicks;
+        int m_actionCount;
+        int m_blockedUntilTicks;
+        #endregion
+    }
+
+    /// <summary>
+    /// Manages clients with potential problematic activities
+    /// </summary>
+    public class ActiveClientTracker : IDisposable
+    {
+        #region Public
+        /// <summary>
+        /// Constructor
+        /// </summary>
+        public ActiveClientTracker()
+        {
+            m_cleanupTimer = new Timer(CleanupExpiredEntries, null, m_kCleanupIntervalMs, m_kCleanupIntervalMs);
+        }
+
+        /// <summary>
+        /// Checks if an IP address is currently blocked
+        /// </summary>
+        /// <param name="ipAddress"></param>
+        /// <returns></returns>
+        public bool IsBlocked(IPAddress ipAddress)
+        {
+            if (m_activeClients.TryGetValue(ipAddress, out ActiveClient client))
+            {
+                int currentTicks = HiResClock.TickCount;
+                return IsBlockedTicks(client.BlockedUntilTicks, currentTicks);
+            }
+            return false;
+        }
+
+        /// <summary>
+        /// Adds a potential problematic action entry for a client
+        /// </summary>
+        /// <param name="ipAddress"></param>
+        public void AddClientAction(IPAddress ipAddress)
+        {
+            int currentTicks = HiResClock.TickCount;
+
+            m_activeClients.AddOrUpdate(ipAddress,
+                // If client is new , create a new entry
+                key => new ActiveClient {
+                    LastActionTicks = currentTicks,
+                    ActiveActionCount = 1,
+                    BlockedUntilTicks = 0
+                },
+                // If the client exists, update its entry
+                (key, existingEntry) => {
+                    // If IP currently blocked simply do nothing
+                    if (IsBlockedTicks(existingEntry.BlockedUntilTicks, currentTicks))
+                    {
+                        return existingEntry;
+                    }
+
+                    // Elapsed time since last recorded action
+                    int elapsedSinceLastRecAction = currentTicks - existingEntry.LastActionTicks;
+
+                    if (elapsedSinceLastRecAction <= m_kActionsIntervalMs)
+                    {
+                        existingEntry.ActiveActionCount++;
+
+                        if (existingEntry.ActiveActionCount > m_kNrActionsTillBlock)
+                        {
+                            // Block the IP
+                            existingEntry.BlockedUntilTicks = currentTicks + m_kBlockDurationMs;
+                            Utils.LogError("RemoteClient IPAddress: {0} blocked for {1} ms due to exceeding {2} actions under {3} ms ",
+                                ipAddress.ToString(),
+                                m_kBlockDurationMs,
+                                m_kNrActionsTillBlock,
+                                m_kActionsIntervalMs);
+
+                        }
+                    }
+                    else
+                    {
+                        // Reset the count as the last action was outside the interval
+                        existingEntry.ActiveActionCount = 1;
+                    }
+
+                    existingEntry.LastActionTicks = currentTicks;
+
+                    return existingEntry;
+                }
+            );
+        }
+
+        /// <summary>
+        /// Dispose the cleanup timer
+        /// </summary>
+        public void Dispose()
+        {
+            m_cleanupTimer?.Dispose();
+        }
+
+        #endregion
+        #region Private methods
+
+        /// <summary>
+        /// Periodically cleans up expired active client entries to avoid memory leak and unblock clients whose duration has expired.
+        /// </summary>
+        /// <param name="state"></param>
+        private void CleanupExpiredEntries(object state)
+        {
+            int currentTicks = HiResClock.TickCount;
+
+            foreach (var entry in m_activeClients)
+            {
+                IPAddress clientIp = entry.Key;
+                ActiveClient rClient = entry.Value;
+
+                // Unblock client if blocking duration has been exceeded
+                if (rClient.BlockedUntilTicks != 0 && !IsBlockedTicks(rClient.BlockedUntilTicks, currentTicks))
+                {
+                    rClient.BlockedUntilTicks = 0;
+                    rClient.ActiveActionCount = 0;
+                    Utils.LogDebug("Active Client with IP {0} is now unblocked, blocking duration of {1} ms has been exceeded",
+                        clientIp.ToString(),
+                        m_kBlockDurationMs);
+                }
+
+                // Remove clients that haven't had any potential problematic actions in the last m_kEntryExpirationMs interval 
+                int elapsedSinceBadActionTicks = currentTicks - rClient.LastActionTicks;
+                if (elapsedSinceBadActionTicks > m_kEntryExpirationMs)
+                {
+                    // Even if TryRemove fails it will most probably succeed at the next execution
+                    if (m_activeClients.TryRemove(clientIp, out _))
+                    {
+                        Utils.LogDebug("Active Client with IP {0} is not tracked any longer, hasn't had actions for more than {1} ms",
+                            clientIp.ToString(),
+                            m_kEntryExpirationMs);
+                    }
+                }
+            }
+        }
+
+        /// <summary>
+        /// Determines if the IP is currently blocked based on the block expiration ticks and current ticks
+        /// </summary>
+        /// <param name="blockedUntilTicks"></param>
+        /// <param name="currentTicks"></param>
+        /// <returns></returns>
+        private bool IsBlockedTicks(int blockedUntilTicks, int currentTicks)
+        {
+            if (blockedUntilTicks == 0)
+            {
+                return false;
+            }
+            // C# signed arithmetic 
+            int diff = blockedUntilTicks - currentTicks;
+            // If currentTicks < blockedUntilTicks then it is still blocked
+            // Works even if TickCount has wrapped around due to C# signed integer arithmetic
+            return diff > 0;
+        }
+
+
+        #endregion
+        #region Private members
+        private ConcurrentDictionary<IPAddress, ActiveClient> m_activeClients = new ConcurrentDictionary<IPAddress, ActiveClient>();
+
+        private const int m_kActionsIntervalMs = 10_000;
+        private const int m_kNrActionsTillBlock = 3;
+
+        private const int m_kBlockDurationMs = 30_000; // 30 seconds
+        private const int m_kCleanupIntervalMs = 15_000;
+        private const int m_kEntryExpirationMs = 600_000; // 10 minutes
+
+        private Timer m_cleanupTimer;
+        #endregion
+    }
+
     /// <summary>
     /// Manages the transport for a UA TCP server.
     /// </summary>
@@ -331,6 +559,12 @@ public void Start()
         {
             lock (m_lock)
             {
+                // Track potential problematic client behavior only if Basic128Rsa15 security policy is offered
+                if (m_descriptions != null && m_descriptions.Any(d => d.SecurityPolicyUri == SecurityPolicies.Basic128Rsa15))
+                {
+                    m_activeClientTracker = new ActiveClientTracker();
+                }
+
                 // ensure a valid port.
                 int port = m_uri.Port;
 
@@ -505,16 +739,44 @@ public void CertificateUpdate(
         }
         #endregion
 
+        #region Internal
+        /// <summary>
+        /// Mark a remote endpoint as potential problematic
+        /// </summary>
+        /// <param name="remoteEndpoint"></param>
+        internal void MarkAsPotentialProblematic(IPAddress remoteEndpoint)
+        {
+            Utils.LogDebug("MarkClientAsPotentialProblematic address: {0} ", remoteEndpoint.ToString());
+            m_activeClientTracker?.AddClientAction(remoteEndpoint);
+        }
+        #endregion
+
         #region Socket Event Handler
         /// <summary>
         /// Handles a new connection.
         /// </summary>
         private void OnAccept(object sender, SocketAsyncEventArgs e)
         {
+
             TcpListenerChannel channel = null;
             bool repeatAccept = false;
             do
             {
+                bool isBlocked = false;
+
+                // Track potential problematic client behavior only if Basic128Rsa15 security policy is offered
+                if (m_activeClientTracker != null)
+                {
+                    // Filter out the Remote IP addresses which are detected with potential problematic behavior
+                    IPAddress ipAddress = ((IPEndPoint)e?.AcceptSocket?.RemoteEndPoint)?.Address;
+                    if (ipAddress != null && m_activeClientTracker.IsBlocked(ipAddress))
+                    {
+                        Utils.LogDebug("OnAccept: RemoteEndpoint address: {0} refused access for behaving as potential problematic ",
+                            ((IPEndPoint)e.AcceptSocket.RemoteEndPoint).Address.ToString());
+                        isBlocked = true;
+                    }
+                }
+
                 repeatAccept = false;
                 lock (m_lock)
                 {
@@ -526,7 +788,7 @@ private void OnAccept(object sender, SocketAsyncEventArgs e)
                     }
 
                     var channels = m_channels;
-                    if (channels != null)
+                    if (channels != null && !isBlocked)
                     {
                         // TODO: .Count is flagged as hotpath, implement separate counter
                         int channelCount = channels.Count;
@@ -821,6 +1083,8 @@ private void SetUri(Uri baseAddress, string relativeAddress)
         private int m_inactivityDetectPeriod;
         private Timer m_inactivityDetectionTimer;
         private int m_maxChannelCount;
+
+        private ActiveClientTracker m_activeClientTracker;
         #endregion
     }
 
