diff options
| author | David Goulet <dgoulet@torproject.org> | 2018-02-09 11:11:41 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2018-02-09 11:13:04 -0500 |
| commit | 666582a679cdfb2d69620db6aadf55a57d430e23 (patch) | |
| tree | fc1e9d37cc0fc620e091f4b72bc4a276c47561c2 | |
| parent | 112638921b479f09bb473952c1870b27a0867971 (diff) | |
| download | tor-666582a679cdfb2d69620db6aadf55a57d430e23.tar.gz tor-666582a679cdfb2d69620db6aadf55a57d430e23.zip | |
dos: Exclude known relays from client connection count
This is to avoid positively identifying Exit relays if tor client connection
comes from them that is reentering the network.
One thing to note is that this is done only in the DoS subsystem but we'll
still add it to the geoip cache as a "client" seen. This is done that way so
to avoid as much as possible changing the current behavior of the geoip client
cache since this is being backported.
Closes #25193
Signed-off-by: David Goulet <dgoulet@torproject.org>
| -rw-r--r-- | src/or/dos.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/or/dos.c b/src/or/dos.c index 88f1351a3f..9e8a7a9abe 100644 --- a/src/or/dos.c +++ b/src/or/dos.c @@ -14,6 +14,7 @@ #include "geoip.h" #include "main.h" #include "networkstatus.h" +#include "nodelist.h" #include "router.h" #include "dos.h" @@ -664,6 +665,14 @@ dos_new_client_conn(or_connection_t *or_conn) goto end; } + /* We ignore any known address meaning an address of a known relay. The + * reason to do so is because network reentry is possible where a client + * connection comes from an Exit node. Even when we'll fix reentry, this is + * a robust defense to keep in place. */ + if (nodelist_probably_contains_address(&or_conn->real_addr)) { + goto end; + } + /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(&or_conn->real_addr, NULL, GEOIP_CLIENT_CONNECT); |