summaryrefslogtreecommitdiff
path: root/src/or/dos.c
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2018-01-25 16:32:28 -0500
committerDavid Goulet <dgoulet@torproject.org>2018-01-30 09:18:16 -0500
commit36a0ae151f8f85c76b4bd91a8fc2871dd88b6005 (patch)
tree1f141845330e9307b04c37e6e1662ee3e2380ff1 /src/or/dos.c
parentacf7ea77d8d76830924a14145afbcf3c95a06b0e (diff)
downloadtor-36a0ae151f8f85c76b4bd91a8fc2871dd88b6005.tar.gz
tor-36a0ae151f8f85c76b4bd91a8fc2871dd88b6005.zip
dos: Add the DoSRefuseSingleHopClientRendezvous option
This option refuses any ESTABLISH_RENDEZVOUS cell arriving from a client connection. Its default value is "auto" for which we can turn it on or off with a consensus parameter. Default value is 0. Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/or/dos.c')
-rw-r--r--src/or/dos.c31
1 files changed, 31 insertions, 0 deletions
diff --git a/src/or/dos.c b/src/or/dos.c
index 7e3a2ab7f9..d98d3db16a 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -14,6 +14,7 @@
#include "geoip.h"
#include "main.h"
#include "networkstatus.h"
+#include "router.h"
#include "dos.h"
@@ -60,6 +61,9 @@ static uint64_t conn_num_addr_rejected;
* General interface of the denial of service mitigation subsystem.
*/
+/* Keep stats for the heartbeat. */
+static uint64_t num_single_hop_client_refused;
+
/* Return true iff the circuit creation mitigation is enabled. We look at the
* consensus for this else a default value is returned. */
MOCK_IMPL(STATIC unsigned int,
@@ -524,6 +528,33 @@ dos_conn_addr_get_defense_type(const tor_addr_t *addr)
/* General API */
+/* Note down that we've just refused a single hop client. This increments a
+ * counter later used for the heartbeat. */
+void
+dos_note_refuse_single_hop_client(void)
+{
+ num_single_hop_client_refused++;
+}
+
+/* Return true iff single hop client connection (ESTABLISH_RENDEZVOUS) should
+ * be refused. */
+int
+dos_should_refuse_single_hop_client(void)
+{
+ /* If we aren't a public relay, this shouldn't apply to anything. */
+ if (!public_server_mode(get_options())) {
+ return 0;
+ }
+
+ if (get_options()->DoSRefuseSingleHopClientRendezvous != -1) {
+ return get_options()->DoSRefuseSingleHopClientRendezvous;
+ }
+
+ return (int) networkstatus_get_param(NULL,
+ "DoSRefuseSingleHopClientRendezvous",
+ 0 /* default */, 0, 1);
+}
+
/* Called when a new client connection has been established on the given
* address. */
void