summaryrefslogtreecommitdiff
path: root/src/or/command.c
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2018-01-25 16:14:40 -0500
committerDavid Goulet <dgoulet@torproject.org>2018-01-30 09:18:15 -0500
commit97abb3543b858afd27ed857903814175c1dfbf12 (patch)
tree42c655269bb1fd4c6e9d881163d9af731e5f032f /src/or/command.c
parentc05272783d0164363023ddd4b3ee93c2e12c8911 (diff)
downloadtor-97abb3543b858afd27ed857903814175c1dfbf12.tar.gz
tor-97abb3543b858afd27ed857903814175c1dfbf12.zip
dos: Detect circuit creation denial of service
Add a function that notifies the DoS subsystem that a new CREATE cell has arrived. The statistics are updated accordingly and the IP address can also be marked as malicious if it is above threshold. At this commit, no defense is applied, just detection with a circuit creation token bucket system. Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/or/command.c')
-rw-r--r--src/or/command.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/or/command.c b/src/or/command.c
index 5866c386e4..d2df55a4be 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -46,6 +46,7 @@
#include "config.h"
#include "control.h"
#include "cpuworker.h"
+#include "dos.h"
#include "hibernate.h"
#include "nodelist.h"
#include "onion.h"
@@ -247,6 +248,11 @@ command_process_create_cell(cell_t *cell, channel_t *chan)
(unsigned)cell->circ_id,
U64_PRINTF_ARG(chan->global_identifier), chan);
+ /* First thing we do, even though the cell might be invalid, is inform the
+ * DoS mitigation subsystem layer of this event. Validation is done by this
+ * function. */
+ dos_cc_new_create_cell(chan);
+
/* We check for the conditions that would make us drop the cell before
* we check for the conditions that would make us send a DESTROY back,
* since those conditions would make a DESTROY nonsensical. */