attack wave detection

.github/workflows/qa-tests.yml

@@ -50,4 +50,4 @@ jobs:
           dockerfile_path: ./zen-demo-python/Dockerfile
           app_port: 8080
           sleep_before_test: 10
-          skip_tests: test_bypassed_ip_for_geo_blocking,test_demo_apps_generic_tests,test_path_traversal,test_wave_attack
+          skip_tests: test_bypassed_ip_for_geo_blocking,test_demo_apps_generic_tests,test_path_traversal

aikido_zen/background_process/commands/sync_data_test.py

@@ -93,6 +93,7 @@ def test_process_sync_data_initialization(setup_connection_manager):
     assert connection_manager.statistics.get_record()["requests"] == {
         "aborted": 0,
         "attacksDetected": {"blocked": 0, "total": 5},
+        "attackWaves": {"total": 0, "blocked": 0},
         "total": 10,
         "rateLimited": 0,
     }
@@ -168,6 +169,7 @@ def test_process_sync_data_with_last_updated_at_below_zero(setup_connection_mana
     assert connection_manager.statistics.get_record()["requests"] == {
         "aborted": 0,
         "attacksDetected": {"blocked": 0, "total": 5},
+        "attackWaves": {"total": 0, "blocked": 0},
         "total": 10,
         "rateLimited": 0,
     }
@@ -255,6 +257,7 @@ def test_process_sync_data_existing_route_and_hostnames(setup_connection_manager
     assert connection_manager.statistics.get_record()["requests"] == {
         "aborted": 0,
         "attacksDetected": {"blocked": 0, "total": 10},
+        "attackWaves": {"total": 0, "blocked": 0},
         "total": 20,
         "rateLimited": 0,
     }

aikido_zen/helpers/create_attack_wave_event.py

@@ -0,0 +1,27 @@
+from aikido_zen.helpers.limit_length_metadata import limit_length_metadata
+from aikido_zen.helpers.logging import logger
+
+
+def create_attack_wave_event(context, metadata):
+    try:
+        return {
+            "type": "detected_attack_wave",
+            "attack": {
+                "user": getattr(context, "user", None),
+                "metadata": limit_length_metadata(metadata, 4096),
+            },
+            "request": extract_request_if_possible(context),
+        }
+    except Exception as e:
+        logger.error("Failed to create detected_attack_wave API event: %s", str(e))
+        return None
+
+
+def extract_request_if_possible(context):
+    if not context:
+        return None
+    return {
+        "ipAddress": getattr(context, "remote_address", None),
+        "source": getattr(context, "source", None),
+        "userAgent": context.get_user_agent(),
+    }

aikido_zen/helpers/create_attack_wave_event_test.py

@@ -0,0 +1,173 @@
+import pytest
+from unittest.mock import MagicMock
+from .create_attack_wave_event import (
+    create_attack_wave_event,
+    extract_request_if_possible,
+)
+import aikido_zen.test_utils as test_utils
+
+
+def test_create_attack_wave_event_success():
+    """Test successful creation of attack wave event with basic data"""
+    metadata = {"test": "value"}
+    context = test_utils.generate_context()
+
+    event = create_attack_wave_event(context, metadata)
+
+    assert event is not None
+    assert event["type"] == "detected_attack_wave"
+    assert event["attack"]["user"] is None
+    assert event["attack"]["metadata"] == metadata
+    assert event["request"] is not None
+
+
+def test_create_attack_wave_event_with_user():
+    """Test attack wave event creation with user information"""
+    metadata = {"test": "value"}
+    context = test_utils.generate_context(user="test_user")
+
+    event = create_attack_wave_event(context, metadata)
+
+    assert event["attack"]["user"] == "test_user"
+    assert event["attack"]["metadata"] == metadata
+
+
+def test_create_attack_wave_event_with_long_metadata():
+    """Test that metadata longer than 4096 characters is truncated"""
+    long_metadata = "x" * 5000  # Create metadata longer than 4096 characters
+    metadata = {"test": long_metadata}
+    context = test_utils.generate_context()
+
+    event = create_attack_wave_event(context, metadata)
+
+    assert len(event["attack"]["metadata"]["test"]) == 4096
+    assert event["attack"]["metadata"]["test"] == long_metadata[:4096]
+
+
+def test_create_attack_wave_event_with_multiple_long_metadata_fields():
+    """Test that multiple metadata fields longer than 4096 characters are truncated"""
+    long_value1 = "a" * 5000
+    long_value2 = "b" * 6000
+    metadata = {
+        "field1": long_value1,
+        "field2": long_value2,
+    }
+    context = test_utils.generate_context()
+
+    event = create_attack_wave_event(context, metadata)
+
+    assert len(event["attack"]["metadata"]["field1"]) == 4096
+    assert len(event["attack"]["metadata"]["field2"]) == 4096
+    assert event["attack"]["metadata"]["field1"] == long_value1[:4096]
+    assert event["attack"]["metadata"]["field2"] == long_value2[:4096]
+
+
+def test_create_attack_wave_event_request_data():
+    """Test that request data is correctly extracted from context"""
+    metadata = {"test": "value"}
+    context = test_utils.generate_context(
+        ip="198.51.100.23",
+        route="/test-route",
+        headers={"user-agent": "Mozilla/5.0"},
+    )
+
+    event = create_attack_wave_event(context, metadata)
+
+    request_data = event["request"]
+    assert request_data["ipAddress"] == "198.51.100.23"
+    assert request_data["source"] == "flask"
+    assert request_data["userAgent"] == "Mozilla/5.0"
+
+
+def test_create_attack_wave_event_no_context():
+    """Test attack wave event creation with None context"""
+    metadata = {"test": "value"}
+
+    event = create_attack_wave_event(None, metadata)
+
+    assert event["attack"]["user"] is None
+    assert event["attack"]["metadata"] == metadata
+    assert event["request"] is None
+
+
+def test_create_attack_wave_event_exception_handling():
+    """Test that exceptions during event creation are handled gracefully"""
+    # Create a context that will raise an exception when accessed
+    context = MagicMock()
+    context.user = "test_user"
+    context.remote_address = "1.1.1.1"
+    context.source = "test_source"
+    # Make get_user_agent raise an exception
+    context.get_user_agent.side_effect = Exception("Test exception")
+
+    metadata = {"test": "value"}
+
+    # This should not raise an exception, but return None
+    event = create_attack_wave_event(context, metadata)
+
+    # Since we're mocking and causing an exception, the function should handle it
+    # and return None based on the exception handling in the function
+    assert event is None
+
+
+def test_extract_request_if_possible_with_valid_context():
+    """Test request extraction with valid context"""
+    context = test_utils.generate_context(
+        ip="198.51.100.23",
+        route="/test-route",
+        headers={"user-agent": "Mozilla/5.0"},
+    )
+
+    request = extract_request_if_possible(context)
+
+    assert request is not None
+    assert request["ipAddress"] == "198.51.100.23"
+    assert request["source"] == "flask"
+    assert request["userAgent"] == "Mozilla/5.0"
+
+
+def test_extract_request_if_possible_with_none_context():
+    """Test request extraction with None context"""
+    request = extract_request_if_possible(None)
+    assert request is None
+
+
+def test_extract_request_if_possible_with_minimal_context():
+    """Test request extraction with minimal context data"""
+    context = test_utils.generate_context()
+
+    request = extract_request_if_possible(context)
+
+    assert request is not None
+    assert request["ipAddress"] == "1.1.1.1"
+    assert request["source"] == "flask"
+    assert request["userAgent"] is None
+
+
+def test_create_attack_wave_event_empty_metadata():
+    """Test attack wave event creation with empty metadata"""
+    metadata = {}
+    context = test_utils.generate_context()
+
+    event = create_attack_wave_event(context, metadata)
+
+    assert event is not None
+    assert event["attack"]["metadata"] == {}
+    assert event["request"] is not None
+
+
+def test_create_attack_wave_event_complex_metadata():
+    """Test attack wave event creation with complex nested metadata"""
+    metadata = {
+        "nested": {"key1": "value1", "key2": "value2"},
+        "simple": "simple_value",
+        "json_string": "[1, 2, 3]",
+        "number_string": "42",
+    }
+    context = test_utils.generate_context()
+
+    event = create_attack_wave_event(context, metadata)
+
+    assert event["attack"]["metadata"] == metadata
+    assert event["attack"]["metadata"]["nested"]["key1"] == "value1"
+    assert event["attack"]["metadata"]["json_string"] == "[1, 2, 3]"

aikido_zen/ratelimiting/lru_cache.py

@@ -3,7 +3,7 @@
 """
 
 from collections import OrderedDict
-from aikido_zen.helpers.get_current_unixtime_ms import get_unixtime_ms
+import aikido_zen.helpers.get_current_unixtime_ms as internal_time
 
 
 class LRUCache:
@@ -24,7 +24,8 @@ def get(self, key):
         if key in self.cache:
             # Check if the item is still valid based on TTL
             if (
-                get_unixtime_ms(monotonic=True) - self.cache[key]["startTime"]
+                internal_time.get_unixtime_ms(monotonic=True)
+                - self.cache[key]["startTime"]
                 < self.time_to_live_in_ms
             ):
                 return self.cache[key]["value"]  # Return the actual value
@@ -39,7 +40,7 @@ def set(self, key, value):
             self.cache.popitem(last=False)  # Remove the oldest item
         self.cache[key] = {
             "value": value,
-            "startTime": get_unixtime_ms(monotonic=True),
+            "startTime": internal_time.get_unixtime_ms(monotonic=True),
         }  # Store value and timestamp
 
     def clear(self):

aikido_zen/sources/functions/request_handler.py

@@ -4,9 +4,14 @@
 from aikido_zen.api_discovery.update_route_info import update_route_info_from_context
 from aikido_zen.helpers.is_useful_route import is_useful_route
 from aikido_zen.helpers.logging import logger
+from aikido_zen.helpers.create_attack_wave_event import create_attack_wave_event
 from aikido_zen.thread.thread_cache import get_cache
 from .ip_allowed_to_access_route import ip_allowed_to_access_route
 import aikido_zen.background_process.comms as c
+from ...background_process.commands import PutEventCommand
+from ...helpers.ipc.send_payload import send_payload
+from ...helpers.serialize_to_json import serialize_to_json
+from ...storage.attack_wave_detector_store import attack_wave_detector_store
 
 
 def request_handler(stage, status_code=0):
@@ -79,25 +84,38 @@ def pre_response():
     if block_type == "bot-blocking":
         msg = "You are not allowed to access this resource because you have been identified as a bot."
         return msg, 403
+    return None
 
 
 def post_response(status_code):
-    """Checks if the current route is useful"""
+    """Checks if the current route is useful and performs attack wave detection"""
     context = ctx.get_current_context()
     if not context:
         return
     route_metadata = context.get_route_metadata()
 
+    cache = get_cache()
+    if not cache:
+        return
+
+    attack_wave = attack_wave_detector_store.is_attack_wave(context.remote_address)
+    if attack_wave:
+        cache.stats.on_detected_attack_wave(blocked=False)
+
+        event = create_attack_wave_event(context, metadata={})
+        logger.debug("Attack wave: %s", serialize_to_json(event)[:5000])
+
+        # Report in background to core (send event over IPC)
+        if c.get_comms() and event:
+            send_payload(c.get_comms(), PutEventCommand.generate(event))
+
+    # Check if the current route is useful for API discovery
     is_curr_route_useful = is_useful_route(
         status_code,
         context.route,
         context.method,
     )
-    if not is_curr_route_useful:
-        return
-
-    cache = get_cache()
-    if cache:
+    if is_curr_route_useful:
         cache.routes.increment_route(route_metadata)
 
         # api spec generation