diff options
| author | David Goulet <dgoulet@torproject.org> | 2019-05-29 14:05:16 -0400 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2019-08-06 07:58:14 -0400 |
| commit | 9f738be8937d675929b43a149d706160641a089d (patch) | |
| tree | 8a54a82b32bea028f6693f97e359899d3bd43aec /src/core | |
| parent | 4ee65a6f877e841739f037ad27d2d588ce4e0c51 (diff) | |
| download | tor-9f738be8937d675929b43a149d706160641a089d.tar.gz tor-9f738be8937d675929b43a149d706160641a089d.zip | |
hs: Limit the amount of relayed INTRODUCE2
This commit add the hs_dos.{c|h} file that has the purpose of having the
anti-DoS code for onion services.
At this commit, it only has one which is a function that decides if an
INTRODUCE2 can be sent on the given introduction service circuit (S<->IP)
using a simple token bucket.
The rate per second is 25 and allowed burst to 200.
Basic defenses on #15516.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/include.am | 2 | ||||
| -rw-r--r-- | src/core/or/or_circuit_st.h | 7 |
2 files changed, 9 insertions, 0 deletions
diff --git a/src/core/include.am b/src/core/include.am index 1a4b9fb8ab..ee275f172c 100644 --- a/src/core/include.am +++ b/src/core/include.am @@ -117,6 +117,7 @@ LIBTOR_APP_A_SOURCES = \ src/feature/hs/hs_config.c \ src/feature/hs/hs_control.c \ src/feature/hs/hs_descriptor.c \ + src/feature/hs/hs_dos.c \ src/feature/hs/hs_ident.c \ src/feature/hs/hs_intropoint.c \ src/feature/hs/hs_service.c \ @@ -374,6 +375,7 @@ noinst_HEADERS += \ src/feature/hs/hs_config.h \ src/feature/hs/hs_control.h \ src/feature/hs/hs_descriptor.h \ + src/feature/hs/hs_dos.h \ src/feature/hs/hs_ident.h \ src/feature/hs/hs_intropoint.h \ src/feature/hs/hs_service.h \ diff --git a/src/core/or/or_circuit_st.h b/src/core/or/or_circuit_st.h index 6789668224..8f319585a6 100644 --- a/src/core/or/or_circuit_st.h +++ b/src/core/or/or_circuit_st.h @@ -12,6 +12,8 @@ #include "core/or/circuit_st.h" #include "core/or/crypt_path_st.h" +#include "lib/evloop/token_bucket.h" + struct onion_queue_t; /** An or_circuit_t holds information needed to implement a circuit at an @@ -69,6 +71,11 @@ struct or_circuit_t { * exit-ward queues of this circuit; reset every time when writing * buffer stats to disk. */ uint64_t total_cell_waiting_time; + + /** INTRODUCE2 cell bucket controlling how much can go on this circuit. Only + * used if this is a service introduction circuit at the intro point + * (purpose = CIRCUIT_PURPOSE_INTRO_POINT). */ + token_bucket_ctr_t introduce2_bucket; }; #endif /* !defined(OR_CIRCUIT_ST_H) */ |