central defense by ASN or IP4 mask

[mcfnord]

feat(server): Add CentralDefense for ASN/CIDR blocking

This introduces the CentralDefense module, a server-side security mechanism designed to reject connections from specific Autonomous Systems (ASNs) and IP ranges (CIDRs). This allows a central service to filter out traffic from known abuse sources.

Key Implementation Details:

1. synchronous "Bouncer" Logic:

   • Hooks into CServer::OnNewConnection immediately after the mutex lock.
   • Uses Qt::DirectConnection to ensure the block check completes synchronously.
   • If a client is blocked, the connection is dropped before the server sends the "Welcome" message or updates the connected client list.

2. API Protection & Throttling:

   • Integrates with ip-api.com for ASN lookups but implements aggressive protection for the API provider.
   • Memory-First: Checks a local RAM cache and static CIDR list before attempting any network lookup.
   • Queuing: Limits concurrent requests to prevent bursts.
   • Throttling: Enforces a delay between outbound requests to respect API rate limits.
   • Negative Caching: Caches lookup results (allow or deny) to ensure subsequent connections from the same IP require zero network traffic.

3. Configuration:

   • Fetches a remote blocklist (ASN/CIDR format) on startup and refreshes periodically.
   • Parses blocklist entries robustly, ignoring comments and descriptive text.

Checklist

• I've verified that this Pull Request follows the general code principles
• I tested my code and it does what I want
• My code follows the style guide
• I waited some time after this Pull Request was opened and all GitHub checks completed without errors.
• I've filled all the content above

[ann0see]

Thanks!

ip-api.com

I'd prefer not to hardcode services.

[ann0see]

Very interesting! Thank you.
I believe that we'll have a long discussion here...

[ann0see]

You should write the code generic such that it supports ipv6 too