Documentation
¶
Overview ¶
Package reflex detects DNS amplification/reflection attacks.
This middleware focuses specifically on identifying spoofed source IPs used in DNS amplification attacks. It does NOT duplicate:
- Rate limiting (handled by ratelimit middleware)
- Blocklist/whitelist (handled by blocklist middleware)
- ANY query blocking (handled by resolver middleware)
Detection strategy:
- Track amplification ratio per IP (response size / request size)
- Identify IPs with suspicious query patterns (only high-amp types, no normal queries)
- Score IPs based on reflection attack likelihood
- Block or challenge IPs exceeding threshold
Index ¶
- Variables
- type IPEntry
- type IPTracker
- func (t *IPTracker) Cleanup()
- func (t *IPTracker) Count() int
- func (t *IPTracker) GetEntry(ip string) *IPEntry
- func (t *IPTracker) RecordQuery(ip string, qtype uint16, ampFactor float64, reqSize int) float64
- func (t *IPTracker) RecordResponse(ip string, reqSize, respSize int)
- func (t *IPTracker) RecordTCP(ip string)
- type Reflex
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // ReflexDetections counts suspected amplification attack sources. ReflexDetections = promauto.NewCounterVec( prometheus.CounterOpts{ Name: "reflex_detections_total", Help: "Total suspected amplification attack detections by query type", }, []string{"qtype"}, ) // ReflexBlocked counts blocked queries. ReflexBlocked = promauto.NewCounter( prometheus.CounterOpts{ Name: "reflex_blocked_total", Help: "Total queries blocked due to amplification attack suspicion", }, ) // ReflexTrackedIPs shows current tracked IP count. ReflexTrackedIPs = promauto.NewGauge( prometheus.GaugeOpts{ Name: "reflex_tracked_ips", Help: "Number of IPs currently being tracked", }, ) )
Functions ¶
This section is empty.
Types ¶
type IPEntry ¶
type IPEntry struct {
FirstSeen time.Time
LastSeen time.Time
// Query statistics
TotalQueries uint32
HighAmpQueries uint32 // Queries for high-amplification types
TotalAmpFactor float64 // Sum of amplification factors
// Response statistics
TotalRequestBytes uint64
TotalResponseBytes uint64
// Reputation signals
HasTCP bool // Has made TCP connection (proves real IP)
HasNormalQ bool // Has made normal queries (A, AAAA)
QueryTypes uint16 // Bitmap of query types seen (first 16 types)
}
IPEntry tracks statistics for a single IP.
type IPTracker ¶
type IPTracker struct {
// contains filtered or unexported fields
}
IPTracker tracks IP behavior for amplification attack detection.
func (*IPTracker) RecordQuery ¶
RecordQuery records a UDP query and returns suspicion score (0.0-1.0).
func (*IPTracker) RecordResponse ¶
RecordResponse records response size for amplification ratio tracking.
Source Files
Click to show internal directories.
Click to hide internal directories.