summaryrefslogtreecommitdiff
path: root/src/feature/hs/hs_dos.h
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2019-05-29 14:05:16 -0400
committerDavid Goulet <dgoulet@torproject.org>2019-08-06 07:58:14 -0400
commit9f738be8937d675929b43a149d706160641a089d (patch)
tree8a54a82b32bea028f6693f97e359899d3bd43aec /src/feature/hs/hs_dos.h
parent4ee65a6f877e841739f037ad27d2d588ce4e0c51 (diff)
downloadtor-9f738be8937d675929b43a149d706160641a089d.tar.gz
tor-9f738be8937d675929b43a149d706160641a089d.zip
hs: Limit the amount of relayed INTRODUCE2
This commit add the hs_dos.{c|h} file that has the purpose of having the anti-DoS code for onion services. At this commit, it only has one which is a function that decides if an INTRODUCE2 can be sent on the given introduction service circuit (S<->IP) using a simple token bucket. The rate per second is 25 and allowed burst to 200. Basic defenses on #15516. Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/feature/hs/hs_dos.h')
-rw-r--r--src/feature/hs/hs_dos.h44
1 files changed, 44 insertions, 0 deletions
diff --git a/src/feature/hs/hs_dos.h b/src/feature/hs/hs_dos.h
new file mode 100644
index 0000000000..e3a83a1039
--- /dev/null
+++ b/src/feature/hs/hs_dos.h
@@ -0,0 +1,44 @@
+/* Copyright (c) 2019, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file hs_dos.h
+ * \brief Header file containing denial of service defenses for the HS
+ * subsystem for all versions.
+ **/
+
+#ifndef TOR_HS_DOS_H
+#define TOR_HS_DOS_H
+
+#include "core/or/or_circuit_st.h"
+
+#include "lib/evloop/token_bucket.h"
+
+#define HS_DOS_INTRODUCE_CELL_RATE_PER_SEC 25
+#define HS_DOS_INTRODUCE_CELL_BURST_PER_SEC 200
+
+bool hs_dos_can_send_intro2(or_circuit_t *s_intro_circ);
+
+/* Return the INTRODUCE2 cell rate per second. */
+static inline
+uint32_t hs_dos_get_intro2_rate(void)
+{
+ return HS_DOS_INTRODUCE_CELL_RATE_PER_SEC;
+}
+
+/* Return the INTRODUCE2 cell burst per second. */
+static inline
+uint32_t hs_dos_get_intro2_burst(void)
+{
+ return HS_DOS_INTRODUCE_CELL_BURST_PER_SEC;
+}
+
+#ifdef HS_DOS_PRIVATE
+
+#ifdef TOR_UNIT_TESTS
+
+#endif /* define(TOR_UNIT_TESTS) */
+
+#endif /* defined(HS_DOS_PRIVATE) */
+
+#endif /* !defined(TOR_HS_DOS_H) */