diff options
| author | David Goulet <dgoulet@torproject.org> | 2018-01-25 16:14:40 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2018-01-30 09:18:15 -0500 |
| commit | 97abb3543b858afd27ed857903814175c1dfbf12 (patch) | |
| tree | 42c655269bb1fd4c6e9d881163d9af731e5f032f /src/or/command.c | |
| parent | c05272783d0164363023ddd4b3ee93c2e12c8911 (diff) | |
| download | tor-97abb3543b858afd27ed857903814175c1dfbf12.tar.gz tor-97abb3543b858afd27ed857903814175c1dfbf12.zip | |
dos: Detect circuit creation denial of service
Add a function that notifies the DoS subsystem that a new CREATE cell has
arrived. The statistics are updated accordingly and the IP address can also be
marked as malicious if it is above threshold.
At this commit, no defense is applied, just detection with a circuit creation
token bucket system.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/or/command.c')
| -rw-r--r-- | src/or/command.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/or/command.c b/src/or/command.c index 5866c386e4..d2df55a4be 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -46,6 +46,7 @@ #include "config.h" #include "control.h" #include "cpuworker.h" +#include "dos.h" #include "hibernate.h" #include "nodelist.h" #include "onion.h" @@ -247,6 +248,11 @@ command_process_create_cell(cell_t *cell, channel_t *chan) (unsigned)cell->circ_id, U64_PRINTF_ARG(chan->global_identifier), chan); + /* First thing we do, even though the cell might be invalid, is inform the + * DoS mitigation subsystem layer of this event. Validation is done by this + * function. */ + dos_cc_new_create_cell(chan); + /* We check for the conditions that would make us drop the cell before * we check for the conditions that would make us send a DESTROY back, * since those conditions would make a DESTROY nonsensical. */ |