java实现攻击拦截，独立服务， 处理SYN Flood攻击检测等

package copsec.monitor.handle; import cn.hutool.core.date.DateUtil; import cn.hutool.core.util.IdUtil; import copsec.monitor.bean.KernLog; import copsec.monitor.bean.SystemWarningLog; import copsec.monitor.conf.Config; import copsec.monitor.db.KernLogDB; import copsec.monitor.db.SysConfigDB; import copsec.monitor.db.SystemWarningLogDB; import copsec.monitor.enums.LogLevel; import copsec.monitor.enums.Result; import java.io.InputStreamReader; import java.io.LineNumberReader; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.util.Date; import java.util.List; import java.util.stream.Collectors; import java.util.stream.Stream; /** * @Author wangchang * @Description 攻击处理类 * @Date 2024/8/6 10:12 */ public class AttackHandle { /** * 处理SYN Flood攻击检测 */ public static Integer processSynFlood(Integer oldSynThreshold) { Integer synThreshold = Integer.parseInt(SysConfigDB.selectConfigByKey("sys.syn.threshold")); try { String[] cmd = {"/bin/sh", "-c", "netstat -nt | grep SYN_RECV | awk '/^tcp/{sub(/:.*/,\"\",$4); sub(/:.*/,\"\",$5); if($4 != $5) {print $4,$5}}' | wc -l"}; Integer line = executeCommand(cmd); if (oldSynThreshold != 0 && (line - oldSynThreshold > synThreshold)) { String operateEvent = "SYN Flood攻击检测报警"; handleFloodAttack("拦截攻击", operateEvent, "检测到正在承受SYN Flood攻击，请及时处理。"); } // 更新oldSynThreshold的值 return line; } catch (Exception e) { e.printStackTrace(); return oldSynThreshold; } } /** * 处理UDP Flood攻击检测 */ public static Integer processUdpFlood(Integer oldUdpThreshold) { Integer udpThreshold = Integer.parseInt(SysConfigDB.selectConfigByKey("sys.udp.threshold")); try { String[] cmd = {"/bin/sh", "-c", "netstat -s | grep \"packets to unknown port received\" | awk '{print $1}'"}; Integer line = executeCommand(cmd); if (oldUdpThreshold != 0 && (line - oldUdpThreshold > udpThreshold)) { String operateEvent = "UDP Flood攻击检测报警"; handleFloodAttack("拦截攻击", operateEvent, "检测到正在承受UDP Flood攻击，请及时处理。"); } // 更新oldUdpThreshold的值 return line; } catch (Exception e) { e.printStackTrace(); return oldUdpThreshold; } } /** * 处理ICMP Flood攻击检测 */ public static Integer processIcmpFlood(Integer oldIcmpThreshold) { Integer icmpThreshold = Integer.parseInt(SysConfigDB.selectConfigByKey("sys.icmp.threshold")); try { String[] cmd = {"/bin/sh", "-c", "netstat -s | grep \"ICMP messages received\" | awk '{print $1}'"}; Integer line = executeCommand(cmd); if (oldIcmpThreshold != 0 && (line - oldIcmpThreshold > icmpThreshold)) { String operateEvent = "ICMP Flood攻击检测报警"; handleFloodAttack("拦截攻击", operateEvent, "检测到正在承受ICMP Flood攻击，请及时处理。"); } // 更新oldIcmpThreshold的值 return line; } catch (Exception e) { e.printStackTrace(); return oldIcmpThreshold; } } /** * 处理TearDrop攻击检测 */ public static Integer processTearDrop(Integer oldTearDropThreshold) { Integer teardropThreshold = Integer.parseInt(SysConfigDB.selectConfigByKey("sys.teardrop.threshold")); try { String[] cmd = {"/bin/sh", "-c", "dmesg | grep 'TearDrop Attack' | wc -l"}; Integer line = executeCommand(cmd); if (oldTearDropThreshold != 0 && (line - oldTearDropThreshold > teardropThreshold)) { String operateEvent = "TearDrop攻击检测报警"; handleFloodAttack("拦截攻击", operateEvent, "检测到正在承受TearDrop攻击，请及时处理。"); } // 更新oldTearDropThreshold的值 return line; } catch (Exception e) { e.printStackTrace(); return oldTearDropThreshold; } } /** * 处理Land攻击检测 */ public static Integer processLand(Integer oldLandThreshold) { Integer landThreshold = Integer.parseInt(SysConfigDB.selectConfigByKey("sys.land.threshold")); try { String[] cmd = {"/bin/sh", "-c", "dmesg | grep 'Land Attack' | wc -l"}; Integer line = executeCommand(cmd); if (oldLandThreshold != 0 && (line - oldLandThreshold > landThreshold)) { String operateEvent = "Land攻击检测报警"; handleFloodAttack("拦截攻击", operateEvent, "检测到正在承受Land攻击，请及时处理。"); } // 更新oldLandThreshold的值 return line; } catch (Exception e) { e.printStackTrace(); return oldLandThreshold; } } /** * 处理超大ICMP攻击检测 */ public static Integer processLargeIcmp(Integer oldLargeIcmpThreshold) { Integer largeIcmpThreshold = Integer.parseInt(SysConfigDB.selectConfigByKey("sys.maxicmp.threshold")); try { String[] cmd = {"/bin/sh", "-c", "dmesg | grep 'Large ICMP Packet Attack' | wc -l"}; Integer line = executeCommand(cmd); if (oldLargeIcmpThreshold != 0 && (line - oldLargeIcmpThreshold > largeIcmpThreshold)) { String operateEvent = "超大ICMP攻击检测报警"; handleFloodAttack("拦截攻击", operateEvent, "检测到正在承受超大ICMP攻击，请及时处理。"); } // 更新oldLargeIcmpThreshold的值 return line; } catch (Exception e) { e.printStackTrace(); return oldLargeIcmpThreshold; } } /** * 处理Ping of Death攻击检测 */ public static Integer processPingOfDeath(Integer oldPingOfDeathThreshold) { Integer pingOfDeathThreshold = Integer.parseInt(SysConfigDB.selectConfigByKey("sys.pingofdeath.threshold")); try { String[] cmd = {"/bin/sh", "-c", "dmesg | grep 'Ping of Death Attack' | wc -l"}; Integer line = executeCommand(cmd); if (oldPingOfDeathThreshold != 0 && (line - oldPingOfDeathThreshold > pingOfDeathThreshold)) { String operateEvent = "Ping of Death攻击检测报警"; handleFloodAttack("拦截攻击", operateEvent, "检测到正在承受Ping of Death攻击，请及时处理。"); } // 更新oldPingOfDeathThreshold的值 return line; } catch (Exception e) { e.printStackTrace(); return oldPingOfDeathThreshold; } } /** * 执行命令并返回结果 */ private static Integer executeCommand(String[] cmd) throws Exception { Process p = Runtime.getRuntime().exec(cmd); LineNumberReader input = new LineNumberReader(new InputStreamReader(p.getInputStream())); Integer line = Integer.parseInt(input.readLine()); p.waitFor(); input.close(); return line; } /** * 处理攻击检测后的操作 */ private static void handleFloodAttack(String moduleName, String operateEvent, String description) { // 检测是否已经存在未解决的同类报警 Integer count = SystemWarningLogDB.checkWarnLogByOperateEvent(operateEvent); if (