diff options
| author | trinity-1686a <trinity@deuxfleurs.fr> | 2023-09-10 13:13:11 +0200 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2023-10-18 13:06:04 -0400 |
| commit | 1b907d13bb97aba8badcb428623fa13e803b8d92 (patch) | |
| tree | 917b1e63872eed3f91cf12e0a1bc7befebc92e6d /src/core/or/dos.c | |
| parent | 379fb329d91af56db2e2759b160e8fbcb606f78d (diff) | |
| download | tor-1b907d13bb97aba8badcb428623fa13e803b8d92.tar.gz tor-1b907d13bb97aba8badcb428623fa13e803b8d92.zip | |
add rate limit on BEGIN and RESOLVE cell per circuit
Diffstat (limited to 'src/core/or/dos.c')
| -rw-r--r-- | src/core/or/dos.c | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/src/core/or/dos.c b/src/core/or/dos.c index a47738c906..63cac190fd 100644 --- a/src/core/or/dos.c +++ b/src/core/or/dos.c @@ -325,7 +325,8 @@ get_param_stream_defense_type(const networkstatus_t *ns) } return networkstatus_get_param(ns, "DoSStreamCreationDefenseType", DOS_STREAM_DEFENSE_TYPE_DEFAULT, - DOS_STREAM_DEFENSE_NONE, DOS_STREAM_DEFENSE_MAX); + DOS_STREAM_DEFENSE_NONE, + DOS_STREAM_DEFENSE_MAX); } /* Set circuit creation parameters located in the consensus or their default @@ -836,6 +837,41 @@ dos_conn_addr_get_defense_type(const tor_addr_t *addr) return DOS_CONN_DEFENSE_NONE; } +/* Stream creation public API. */ + +/* Return the action to take against a BEGIN or RESOLVE cell. Return + * DOS_STREAM_DEFENSE_NONE when no action should be taken. + * Increment the appropriate counter when the cell was found to go over a + * limit. */ +dos_stream_defense_type_t +dos_stream_new_begin_or_resolve_cell(or_circuit_t *circ) +{ + if (!dos_stream_enabled || circ == NULL) + return DOS_STREAM_DEFENSE_NONE; + + token_bucket_ctr_refill(&circ->stream_limiter, + (uint32_t) monotime_coarse_absolute_sec()); + + if (token_bucket_ctr_get(&circ->stream_limiter) > 0) { + token_bucket_ctr_dec(&circ->stream_limiter, 1); + return DOS_STREAM_DEFENSE_NONE; + } + /* if defense type is DOS_STREAM_DEFENSE_NONE but DoSStreamEnabled is true, + * we count offending cells as rejected, despite them being actually + * accepted. */ + ++stream_num_rejected; + return dos_stream_defense_type; +} + +/* Initialize the token bucket for stream rate limit on a circuit. */ +void +dos_stream_init_circ_tbf(or_circuit_t *circ) +{ + token_bucket_ctr_init(&circ->stream_limiter, dos_stream_rate, + dos_stream_burst, + (uint32_t) monotime_coarse_absolute_sec()); +} + /* General API */ /* Take any appropriate actions for the given geoip entry that is about to get |