Use sliding window for attack waves

hansott · hansott · commit 45f31347511c · 2025-12-10T15:35:18.000+01:00
diff --git a/library/vulnerabilities/attack-wave-detection/AttackWaveDetector.ts b/library/vulnerabilities/attack-wave-detection/AttackWaveDetector.ts
@@ -8,7 +8,7 @@ export type SuspiciousRequest = {
 };
 
 export class AttackWaveDetector {
-  private suspiciousRequestsCounts: LRUMap<string, number>;
+  private suspiciousRequestsCounts: LRUMap<string, number[]>;
   private suspiciousRequestsSamples: LRUMap<string, SuspiciousRequest[]>;
   private sentEventsMap: LRUMap<string, number>;
 
@@ -80,14 +80,24 @@ export class AttackWaveDetector {
       return false;
     }
 
-    const suspiciousRequests = (this.suspiciousRequestsCounts.get(ip) || 0) + 1;
-    this.suspiciousRequestsCounts.set(ip, suspiciousRequests);
+    const currentTime = performance.now();
+    const requestTimestamps = this.suspiciousRequestsCounts.get(ip) || [];
+
+    const filteredTimestamps = requestTimestamps.filter(
+      (timestamp) => currentTime - timestamp <= this.attackWaveTimeFrame
+    );
+
+    filteredTimestamps.push(currentTime);
+
+    this.suspiciousRequestsCounts.set(ip, filteredTimestamps);
 
     this.trackSample(ip, {
       method: context.method,
       url: context.url,
     });
 
+    const suspiciousRequests = filteredTimestamps.length;
+
     if (suspiciousRequests < this.attackWaveThreshold) {
       return false;
     }
