feat(proxy): integrate DDoS, scanner, and rate limiter into request pipeline

Wire up all three detection layers in request_filter with pipeline logging at each stage for unfiltered training data. Add DDoS, scanner, and rate_limit config sections. Bot allowlist check before scanner model on the hot path. CLI subcommands for train/replay. Signed-off-by: Sienna Meridian Satterwhite <sienna@sunbeam.pt>
2026-03-10 23:38:20 +00:00
parent ae18b00fa4
commit 867b6b2489
7 changed files with 1160 additions and 36 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -37,6 +37,18 @@ opentelemetry-otlp    = { version = "0.27", features = ["http-proto", "reqwest-c
 serde_json = "1"
 anyhow     = "1"

+# DDoS detection (KNN classifier)
+clap        = { version = "4", features = ["derive"] }
+fnntw       = "0.4"
+bincode     = "1"
+rustc-hash  = "2"
+
+# Lock-free Arc swapping for hot-reload (scanner model)
+arc-swap    = "1"
+
+# Reverse DNS for bot IP verification
+dns-lookup  = "2"
+
 # Rustls crypto provider — must be installed before any TLS init
 rustls      = { version = "0.23", features = ["aws-lc-rs"] }

@@ -45,6 +57,13 @@ kube        = { version = "3", features = ["runtime", "client"] }
 k8s-openapi = { version = "0.27", features = ["v1_35"] }
 libc        = "0.2"

+[dev-dependencies]
+criterion = { version = "0.5", features = ["html_reports"] }
+
+[[bench]]
+name = "scanner_bench"
+harness = false
+
 [profile.release]
 opt-level = 3
 lto       = true