Anthropic-Cybersecurity-Skills/skills/implementing-ddos-mitigation-with-cloudflare/scripts/agent.py

#!/usr/bin/env python3
"""DDoS mitigation agent using Cloudflare API for traffic analysis and rule management."""

import argparse
import json
import logging
import os
import sys
from datetime import datetime
from typing import List

try:
    import requests
except ImportError:
    sys.exit("requests required: pip install requests")

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

CF_API = "https://api.cloudflare.com/client/v4"


class CloudflareClient:
    """Client for Cloudflare API v4."""

    def __init__(self, api_token: str):
        self.session = requests.Session()
        self.session.headers.update({
            "Authorization": f"Bearer {api_token}",
            "Content-Type": "application/json",
        })

    def list_zones(self) -> List[dict]:
        resp = self.session.get(f"{CF_API}/zones", timeout=15)
        resp.raise_for_status()
        return resp.json().get("result", [])

    def get_zone_analytics(self, zone_id: str, since: str = "-1440") -> dict:
        resp = self.session.get(
            f"{CF_API}/zones/{zone_id}/analytics/dashboard",
            params={"since": since}, timeout=15)
        return resp.json().get("result", {}) if resp.status_code == 200 else {}

    def get_firewall_events(self, zone_id: str, limit: int = 100) -> List[dict]:
        resp = self.session.get(
            f"{CF_API}/zones/{zone_id}/security/events",
            params={"per_page": limit}, timeout=15)
        return resp.json().get("result", []) if resp.status_code == 200 else []

    def get_ddos_settings(self, zone_id: str) -> dict:
        resp = self.session.get(
            f"{CF_API}/zones/{zone_id}/firewall/ddos_protection", timeout=15)
        return resp.json().get("result", {}) if resp.status_code == 200 else {}

    def create_rate_limit_rule(self, zone_id: str, url_pattern: str,
                                threshold: int, period: int) -> dict:
        payload = {
            "match": {"request": {"url_pattern": url_pattern}},
            "threshold": threshold,
            "period": period,
            "action": {"mode": "challenge"},
        }
        resp = self.session.post(
            f"{CF_API}/zones/{zone_id}/rate_limits", json=payload, timeout=15)
        return resp.json().get("result", {})

    def set_security_level(self, zone_id: str, level: str = "high") -> dict:
        resp = self.session.patch(
            f"{CF_API}/zones/{zone_id}/settings/security_level",
            json={"value": level}, timeout=15)
        return resp.json().get("result", {})


def analyze_traffic(analytics: dict) -> dict:
    """Analyze traffic patterns for DDoS indicators."""
    totals = analytics.get("totals", {})
    requests_data = totals.get("requests", {})
    threats = totals.get("threats", {})
    return {
        "total_requests": requests_data.get("all", 0),
        "cached_requests": requests_data.get("cached", 0),
        "threats_blocked": threats.get("all", 0),
        "bandwidth_bytes": totals.get("bandwidth", {}).get("all", 0),
    }


def generate_report(client: CloudflareClient) -> dict:
    """Generate DDoS mitigation posture report."""
    zones = client.list_zones()
    report = {"analysis_date": datetime.utcnow().isoformat(), "zones": []}
    for zone in zones[:10]:
        zid = zone["id"]
        analytics = client.get_zone_analytics(zid)
        traffic = analyze_traffic(analytics)
        events = client.get_firewall_events(zid, 50)
        ddos_settings = client.get_ddos_settings(zid)
        report["zones"].append({
            "name": zone["name"], "id": zid,
            "traffic": traffic,
            "security_events": len(events),
            "ddos_protection": ddos_settings,
        })
    report["summary"] = {
        "zones_assessed": len(report["zones"]),
        "total_threats": sum(z["traffic"]["threats_blocked"] for z in report["zones"]),
    }
    return report


def main():
    parser = argparse.ArgumentParser(description="Cloudflare DDoS Mitigation Agent")
    parser.add_argument("--api-token", required=True, help="Cloudflare API token")
    parser.add_argument("--output-dir", default=".")
    parser.add_argument("--output", default="cloudflare_ddos_report.json")
    args = parser.parse_args()

    os.makedirs(args.output_dir, exist_ok=True)
    client = CloudflareClient(args.api_token)
    report = generate_report(client)
    out_path = os.path.join(args.output_dir, args.output)
    with open(out_path, "w") as f:
        json.dump(report, f, indent=2)
    logger.info("Report saved to %s", out_path)
    print(json.dumps(report["summary"], indent=2))


if __name__ == "__main__":
    main()